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Abstract.  The  theory  of  the  natural  numbers  with  linear  order 
and  monadic  predicates  underlies  propositional  linear  temporal  logic. 
To  study  temporal  logics  for  real-time  systems,  we  combine  this 
classical  theory  of  infinite  state  sequences  with  a  theory  of  time, 
via  a  monotonic  function  that  maps  every  state  to  its  time.  The 
resulting  theory  of  timed  state  sequences  is  shown  to  be  decidable, 
albeit  nonelementary,  and  its  expressive  power  is  characterized  by 
a^-regular  sets.  Several  more  expressive  variants  are  proved  to  be 
highly  undecidable. 

This  framework  allows  us  to  classify  a  wide  variety  of  recd-time 
logics  according  to  their  complexity  and  expressiveness.  In  fact,  it 
follows  that  most  formalisms  proposed  in  the  literature  cannot  be 
decided.  We  are,  however,  able  to  identify  two  elementary  real-time 
temporal  logics  as  expressively  complete  fragments  of  the  theory  of 
timed  state  sequences,  and  give  tableau-based  decision  procedures. 
Consequently,  these  two  formalisms  are  well-suited  for  the  specifica¬ 
tion  and  verification  of  real-time  systems. 


1  Introduction 

Linear  propositional  temporal  logic  (PTL)  has  been  demonstrated  to  be  a  work¬ 
ing  tool  for  the  specification  and  verification  of  reactive  systems  ([Pn77],  [OL82], 
[LP84],  [MP89]).  Its  practical  appeal  stems  from  the  strong  theoretical  connec¬ 
tions  that  PTL,  which  is  interpreted  over  infinite  sequences  of  states,  enjoys  with 
the  underlying  classical  first-order  theory  of  the  natural  numbers  with  linear 
order  and  monadic  predicates:  PTL  captures  an  elementary,  yet  expressively 

^This  research  was  supported  in  part  by  an  IBM  graduate  fellowship  to  the  second  author, 
by  the  National  Science  Foundation  under  grant  CCR-8812595,  by  the  Defense  Advanced 
Research  Projects  Agency  under  contract  N00039-84-C-0211,  and  by  the  United  States  Air 
Force  Office  of  Scientific  Research  under  contracts  88-0281  and  90-0057. 

^  An  abbreviated  version  of  this  paper  appears  in  the  proceedings  of  the  5th  Annual  IEEE 
Symposium  on  Logtc  in  Computer  Science  (1990). 
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complete,  fragment  of  this  nonelementary  theory  ([SC85],  [GPSS80],  [St74]); 
that  is,  any  property  of  state  sequences  expressible  in  the  monadic  first-order 
theory  of  (N,  <)  can  also  be  specified  in  PTL,  which  has  a  much  simpler  decision 
problem. 

PTL  admits,  however,  only  the  specification  of  qualitative  time  requirements, 
such  as  an  event  occurring  “eventually.”  To  enable  quantitative  rccisoning  about 
the  timing  delays  in  real-time  applications,  real-time  logics  include  explicit  time 
references  and  are  interpreted  over  timed  state  sequences,  which  associate  a 
time  with  every  state  ([JM86],  [Os87],  [Ha88],  [AH89],  [Ko89],  [HLP90]).  Even 
though  the  suitability  as  specification  language  has  often  been  demonstrated, 
most  of  these  previous  attempts  remain  ad  hoc,  with  little  reg^d  to  complexity 
and  expressiveness  questions. 

The  prime  objective  of  this  paper  is  to  develop  a  unifying  framework  for 
the  study  of  real-time  logics.  In  analogy  to  the  untimed  case,  we  identify  the 
underlying  classical  theory  of  timed  state  sequences,  show  it  to  be  nonelemen- 
tarily  decidable,  and  use  its  complexity  and  expressiveness  as  point  of  reference. 
We  are  able  to  define  two  orthogonal  extensions  of  PTL  that  inherit  its  appeal: 
they  capture  elementary,  yet  expressively  complete,  fragments  of  the  theory  of 
timed  state  sequences,  and  thus  are  excellent  candidates  for  practical  real-time 
specification  languages. 

Outline 

In  Section  2,  we  define  the  theory  of  timed  state  sequences  by  combining  a 
theory  of  state  sequences  with  a  theory  of  time,  via  a  unary  monotonic  function 
that  maps  every  state  to  its  time.  As  for  PTL,  the  monadic  first-order  theory 
(^i  serves  as  the  theory  of  states.  To  model  time,  we  choose  the  theory 
of  (Ni  <)  =  )•  We  show  that  the  resulting  combined  theory  is  still  decidable,  and 
characterize  its  expressiveness  by  ^/-regular  sets. 

We  claim  that  this  theory  of  timed  state  sequences  is  indeed  the  theory  for 
reasoning  about  finite-state  real-time  systems.  All  conceivable  extensions  and 
variations,  like  additional  primitives  over  time  (such  as  addition),  or  a  dense 
time  domain,  result  in  highly  undecidable  (Hj-hard)  theories.  It  follows  from 
our  results  that  none  of  the  real-time  logics  proposed  by  [JM86],  [Os87],  [Ha88], 
and  [Ko89]  can  be  decided,  which  vividly  demonstrates  that  it  has  not  been 
understood,  so  far,  how  expressive  a  theory  of  time  may  be  added,  without 
sacrificing  decidability,  to  reasoning  about  state  sequences. 

In  [AH89],  we  proposed  timed  PTL  (TPTL)  as  a  natural  specification  lan- 
guage,  and  developed  a  tableau-based  decision  procedure.  It  turns  out  that 
TPTL  captures  precisely  the  fragment  of  the  theory  of  timed  state  sequences 
obtained  by  combining  PTL  (the  temporal  fragment  of  the  states  component) 
with  the  quantifier-free  fragment  of  the  time  component.  We  argued,  in  [AH89], 
that  it  is  this  restriction  of  disallowing  quantification  over  time,  what  yields  read¬ 
able  specifications  as  well  as  finite-state-based  verification  methods.  In  Section 
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3  we  show  it  to  be  both  harmless,  by  proving  the  expressive  completeness  of 
TPTL  with  respect  to  the  underlying  classical  theory,  and  essential,  by  prov¬ 
ing  the  nonelementary  nature  of  TPTL  extended  by  quantification  over  time 
variables. 

There  are,  in  fact,  second-order  versions  of  all  our  theorems:  the  second- 
order  theory  of  timed  state  sequences  is  still  decidable,  and  just  as  PTL  is 
generalizable  to  ETL  ([Wo83]),  TPTL  can  be  extended  to  be  as  expressive  as 
this  second-order  theory,  at  no  cost  in  complexity. 

Surprisingly,  the  addition  of  past  operators  renders  TPTL  nonelementary. 
This  induces  us  to  introduce,  in  Section  4,  another  expressively  complete  frag¬ 
ment  of  the  theory  of  timed  state  sequences,  MTL,  which  includes  past  oper¬ 
ators,  but  restricts  the  states  that  may  be  related  by  timing  constraints.  We 
present  a  tableau- betsed  decision  procedure  for  MTL,  thus  demonstrating  its 
applicability  for  the  verification  of  real-time  systems. 

Both  TPTL  and  MTL  are*,  while  being  elementary,  still  quite  expensive;  the 
respective  decision  procedures  work  in  doubly  exponential  time.  In  Section  5  we 
show  that  this  cost  is,  however,  intrinsic  to  real-time  reasoning:  any  reasonably 
succinct  and  reasonably  expressive  extension  of  PTL  is  necessarily  EXPSPACE- 
hard.  Even  the  special  case  of  identifying  nexi-iime  with  next- state,  which 
restricts  us  to  reasoning  about  synchronous  systems,  is  not  cheaper. 


2  The  Theory  of  Timed  State  Sequences 

Real-time  logics  are  interpreted  over  timed  state  sequences.  Given  a  finite  set 
of  propositions  P  and  a  time  domain  TIME,  a  timed  state  sequence  p  =:  (o*,  t) 
is  a  pair  consisting  of  an  infinite  sequence  a  of  states  C  P,  i  >  0,  and  a 
map  r :  N  -♦  TIME  that  associates  a  time  with  every  state.  We  introduce  the 
classical  theory  of  timed  state  sequences,  show  its  decidability,  and  characterize 
its  expressiveness  by  a;-regular  sets. 

2.1  The  classical  theory  of  state  sequences 

First,  we  recapitulate  briefly  why  the  theory  of  the  natural  numbers  with  lin¬ 
ear  order  and  monadic  predicates  underlies  linear-time  propositional  temporal 
logics,  which  are  interpreted  over  infinite  sequences  of  states. 

Let  C?  be  the  second-order  language  with  unary  predicate  symbols  and  the 
binary  predicate  symbol  <,  and  let  £  be  its  first-order  fragment.  We  interpret 
£^  over  the  natural  numbers,  with  <  being  interpreted  as  the  usual  linear  order. 
Throughout  we  consider  only  formulas  that  contain  no  free  individual  variables. 
Thus,  given  a  formula  d>  of  with  the  free  predicate  symbols  pi,...pnj  ^ 
interpretation  I  for  ^  specifies  the  sets  C  N.  Such  an  interpretation 

can  be  viewed  as  an  infinite  sequence  a  of  states  ai  C  {pi,...pn},i  >  0  (let 
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Pk  e  Ci  iff  i  G  pI).  By  M(,^)  we  denote  the  set  of  state  sequences  that  satisfy 
(p. 

Observe  that  £2  essentially  the  language  underlying  the  theory  SIS,  the 
second-order  theory  of  the  natural  numbers  with  successor  and  monadic  pred¬ 
icates.  This  is  because,  in  SIS,  the  order  predicate  <  can  be  defined  from  the 
successor  function  using  second-order  quantification  (and  vice  versa).  It  was 
first  shown  by  Buchi  that  the  theory  SIS  is  decidable  ([Bu62]). 

Formulas  of  the  propositional  linear  temporal  logic  PTL  can  be  faithfully 
translated  into  £,  by  replacing  propositions  with  monadic  predicates.  For  exam¬ 
ple,  the  typical  response  property  that  “Every  p-state  is  followed  by  a  o-state  ” 
is  expressed  in  PTL  as  ’ 

°(P  —  O9). 

It  can  be  written  in  £  as 


VI. 


(<PRJ 


without  changing  the  set  of  models. 

Although  PTL  corresponds  to  a  proper  subset  of  £,  it  has  the  full  expres- 
sive  power  of  £  aKa68],  [GPSS80]);  that  is,  for  every  £-formula  there  is  a 
PTLTormuIa  specifying  the  same  property  of  state  sequences.  Furthermore,  the 
validity  problem  for  £  is  nonelementary  ([St74]),  whereas  PTL  is  only  PSPACE- 
con^lete  ([SC85]),  and  has  a  singly  exponential  decision  procedure  ([BMP81]). 

To  attain  the  greater  expressive  power  of  £2,  PTL  may  be  strengthened 
by  adding  operators  that  correspond  to  right-linear  grammars  ([Wo83]).  The 
resulting  logic,  extended  temporal  logic  (ETL),  has  the  expressive  power  of  £^ 
and  like  PTL,  still  a  singly  exponential  decision  procedure. 

characterized  by  w-regular  expressions 
([Mc66],  [Th81]):  for  any  formula  </,  of  £^,  the  set  Ad(^)  can  be  defined  by  an 
^-regular  expression  over  the  alphabet  P({pi, . .  .p„}).  For  example,  MUr)  is 
described  by  the  expression 


[ip,  9}  +  {9}  +  {}  +  ({p};  true';  ({p,  g}  4-  {g}))]“. 

The  restricted  expressive  power  of  £  corresponds  to  the  star-free  fragment  of 

«-regular  expressions  (in  which  the  Kleene  star  may  be  applied  only  to  the 
expression  true). 


2,2  Adding  time  to  state  sequences 

To  obtain  a  theory  of  timed  state  sequences,  we  need  to  identify  a  suitable 
time  domain  TIME,  with  appropriate  primitives,  and  couple  the  theory  of  state 
sequences  with  this  theory  of  time  through  a  unary  (“time”)  function  /,  which 
associates  a  time  with  every  state.  We  choose,  as  the  theory  of  time,  the  theory 
of  the  natural  numbers  (i.e.,  TIME  =  N)  with  linear-order  and  congruence 
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primitives.  Since  the  time  cannot  decrccise  from  one  state  to  the  next,  we 
require  that  /  be  monotonic.  We  will  have  an  opportunity  to  justify  these 
decisions  later. 

Let  L\  be  a  second-order  language  with  two  sorts,  namely  a  state  sort  and 
a  time  sort.  The  vocabulary  of  consists  of  unary  predicate  symbols  and 
the  binary  predicate  symbol  <  over  the  state  sort,  the  unary  function  symbol 
/  from  the  state  sort  into  the  time  sort,  and  the  binary  predicate  symbols  <, 
=2,  =3, .  •  •  over  the  time  sort.  By  Ct  we  denote  the  first-order  fragment  of 

We  restrict  our  attention  to  structures  that  choose  the  set  of  natural  num¬ 
bers  N  as  domain  for  both  sorts,  and  interpret  the  primitives  in  the  intended 
way.  Thus,  given  a  formula  <f>  of  with  the  free  predicate  symbols  pi, . . .  ,  am 

interpretation  I  for  <f>  specifies  the  sets  p^, . .  .p^  C  N  and  a  monotonic  function 
:  N  — ►  TIME.  The  satisfaction  relation  is  defined  as  usuaJ.  Every  interpre¬ 
tation  I  for  <l>  can  be  viewed  as  a  timed  state  sequence  (o',  r)  (choose  cr  as  in 
the  untimed  ca^e,  and  let  r  =  by  we  denote  the  set  of  timed  state 

sequences  that  satisfy  <(>. 

It  follows  that  £j -formulas  specify  properties  of  timed  state  sequences.  For 
example,  the  requirement  of  bounded  response  time  that  ‘‘Every  p-state  is  fol¬ 
lowed  by  a  9-state  within  time  1,”  can  be  written  ais  a  formula  of  Cr' 

Vi.  (p(i)  Bj  >  i.  {q{j)  A  f{j)  <  f{i)  +  1))  {4>br) 

(note  that  the  successor  functions,  over  either  sort,  are  definable  in  £7). 

An  £j-formula  (f>  is  satisfiable  (vadid)  iff  it  is  satisfied  by  some  (every)  timed 
state  sequence.  The  (second-order)  theory  of  timed  state  sequences  is  the  set  of 
all  valid  sentences  of  £y.  We  prove  it  to  be  decidable. 

2.3  Decidability  and  expressibility 

First  we  show  that,  given  an  interpretation  I  for  an  £j-formula  the  informa¬ 
tion  in  essential  for  determining  the  truth  of  <t>  has  finite-state  character. 

Let  us  consider  the  sample  formula  <I>br  again.  A  timed  state  sequence  for 
<t>BR  specifies,  for  every  state,  the  truth  values  of  the  predicates  p  and  9,  and 
the  value  of  the  time  function.  Since  /  is  interpreted  as  a  monotonic  function, 
it  can  be  viewed  as  a  state  variable  recording,  in  every  state,  the  increase  in 
time  from  the  previous  state.  Although  ranges  over  the  infinite  domain  N, 
observe  that  if  the  time  increases  by  more  than  1  from  a  state  to  its  successor, 
then  the  actual  value  of  the  increase  is  of  no  relevance  to  the  truth  of 

Consequently,  to  determine  the  truth  of  4>br^  the  state  variable  can  be 
modeled  using  a  finite  number  of  unary  time- difference  predicates.  We  employ 
the  three  new  predicates  Tdiff^^  Tdiff^,  and  Tdiff2  in  the  following  way:  Tdiff^ 
is  true  of  a  state  iff  the  time  increase  from  the  previous  state  is  0,  Tdiff^  is  true 
iff  it  is  1,  and  Tdiff2  is  true  iff  it  is  greater  than  1.  Accordingly,  we  define 
the  notion  of  an  extended  state  sequence  for  (psR^  as  a  state  sequence  over  the 
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propositions  p,  g,  Tdiff  and  Tdiff2  such  that  precisely  one  of  the 

propositions  Tdiff^^  Tdiff and  Tdiff2  is  true  in  any  state. 

Given  an  extended  state  sequence,  we  can  recover  a  corresponding  timed 
state  sequence:  the  value  of  the  time  function  in  a  Tdiff  is  obtained  by 

adding  t  to  its  value  in  the  previous  state  (if  Tdiff^  holds  in  the  first  state,  let  i 
be  its  time).  This  establishes  a  many-to-one  correspondence  between  the  timed 
and  the  extended  state  sequences  for  (f>BR]  it  induces  an  equivalence  relation 
on  the  set  of  all  interpretations  for  (f>BR  such  that  the  truth  of  <I>br  is  invariant 
within  any  equivalence  class.  Every  equivalence  class  is,  furthermore,  definable 
by  a  finite  number  of  propositions. 

For  formulas  with  congruence  primitives,  we  need  to  introduce,  apart  from 
time-difference  predicates,  also  unary  time- congruence  predicates,  to  keep  track 
of  the  congruence  class  of  the  time  value  of  every  state.  For  example,  consider 
the  following  formula  -0,  which  states  that  “pis  true  in  every  state  with  an  even 
time  value”: 

(/(O  ^2  0  p(z)). 

Given  an  interpretation  I  for  V',  the  information  in  can  be  captured  by  the 
two  predicates  Tcong^  and  Tcong^:  Tcong^  is  true  for  states  with  even  time, 
and  Tcong-^  is  true  for  states  with  odd  time. 

Now  we  formalize  this  idea.  Let  c(^)  be  the  least  common  multiple  of  the 
set  {c  I  =c  occurs  in  and  d[4>)  the  product  of  c(^)  and  4^,  where  Q  is 
the  number  of  time  quantifiers  (i.e.,  quantifiers  over  variables  of  the  time  sort) 
occurring  in 

Given  a  formula  4>  of  with  the  free  predicate  symbols  pi, . .  .pn,  an  ex¬ 
tended  state  sequence  J  for  <f>  specifies  the  sets  pf,...p;[  C  N,  a  partition  of 
N  into  the  sets  Tdiff^y,,.  and  another  partition  of  N  into  the  sets 

Tcong^y.,.  Tcong^^^>^_^.  For  any  interpretation  I  for  the  extended  state 
sequence  J  underlying  I  is  defined  as  follows: 

•  J  agrees  with  /  on  pi, . .  .p„. 

•  For  :  >  0  and  0  <  t  <  (i(^),  i  £  Tdiffl  iff  f^{i)  =  f\i  -  1)  +  t. 

•  For  I  >  0,  i  e  iff  f\i)  >  f\i  -  l)  +  d{<f>). 

•  For  i  >  0  and  0  <  t  <  c[<t>),  i  €  Tcongi  iff  f\i)  t. 

(Throughout  we  use  the  convention  that,  for  any  interpretation  /,  =  0.) 

Lemma  [Finite-state  character  of  time].  Given  a  formula  (p  of  L\ 
and  two  interpretations  1  and  J  for  tp  with  the  same  underlying  extended  state 
sequence,  I  £  Mt{(P)  iff  J  €  Mt{<P).  m 

Proof:  Consider  two  interpretations  I  and  J  for  the  ^^-formula  p  that 
have  the  same  underlying  extended  state  sequence;  that  is,  I  and  J  agree  on 
the  free  predicate  symbols  of  P,  and  for  each  i  >  0,  f\i)  and  belong  to 
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the  same  congruence  class  modulo  c((^),  and  either  f^{i)  -  f^{i  ~  1)  is  the  Scime 
as  —  /'^(i  —  1),  or  both  are  at  least 

We  use  induction  on  the  structure  of  4>  to  prove  our  claim.  To  handle  sub¬ 
formulas  with  free  variables  properly,  we  need  to  strengthen  our  assumptions 
about  the  equivalence  of  interpretations  with  respect  to  a  formula. 

Let  V’  be  a  subformula  of  (j),  possibly  with  free  variables.  Let  d{'tp)  be  the 
product  of  c(<^)  and  4^,  where  Q  is  the  number  of  time  variables  bound  in  ip. 
For  ease  of  presentation,  we  represent  the  function  /  by  the  countable  set  of 
variables  {/^  I  ^  >  0}:  for  any  interpretation  7,  let  fl  =  /^(O*  Tvar{'ip)  we 
denote  the  union  of  the  set  of  free  time  variables  of  tp  with  {/^  :  i  >  0}.  We 
say  that  two  interpretations  7'  and  J'  for  i;  axe  equivalent  with  respect  to  jp  iff 
they  satisfy  the  following  conditions: 

•  For  every  predicate  symbol  q  free  in  *0,  • 

•  For  every  state  variable  i  free  in  0,  . 

•  For  all  X,  y  G  Tvar(0),  <  y^‘  iff 

•  For  every  x,y  6  TvaT{‘ip),  if  0  <  x^'  -  y^‘  <  (i(0),  then 

—  y^  =  x^  —  y^  i  and  vice  versa. 

•  For  every  x  G  Tvar{7p),  x^*  x^\ 

Clearly,  the  given  two  interpretations  7  and  J  are  equivaJent  with  respect  to 
the  given  formula  0.  Thus,  it  suffices  to  show  that,  for  any  subformula  0  of  0 
and  equivalent  interpretations  7'  and  J'  for  0,  7'  ^0  implies  J'  |=  0.  We  do 
so  by  induction  on  the  structure  of  0. 

The  interpretations  7'  and  J'  agree  on  the  assignment  to  predicate  symbols 
and  state  variables  of  0.  They  may  assign  different  values  to  the  elements  in 
Tvar(0),  but  they  agree  on  their  ordering  and  modulo-c(0)  congruence  classes. 
Clearly,  if  0  is  an  atomic  formula,  then  7'  ^  0  iff  J'  ^  0. 

The  c£tsc  of  boolean  connectives  is  straightforward. 

Suppose  that  0  is  of  the  form  3p.  0',  for  a  predicate  symbol  p,  and  that 

r  t=  0.  Let  7"  be  an  extension  of  V  such  that  7"  [=  0'.  From  the  inductive 

hypothesis,  the  extension  of  J*  that  assigns  the  set  to  p  is  a  model  of  0'. 
Hence,  J*  ^  0.  The  case  that  0  is  of  the  form  Vp.  0'  is  similar. 

If  the  outermost  operator  of  0  is  a  quantifier  for  a  state  variable,  then  we 
can  proceed  as  in  the  previous  cast. 

Now  consider  the  case  that  0  is  of  the  form  3x.0',  for  a  time  variable 

X.  Suppose  that  7'  ^  0.  Let  7"  be  an  extension  of  V  such  that  7"  \=:  0'. 

First  note  that  d(0')  =  c(0)  •  4^”^.  We  extend  J'  to  an  interpretation  J”  for 
0'  in  the  following  way:  if  for  some  y  G  Tt;ar(0),  \y^'  -  x^'"  \  <  ci(0'),  then 
choose  x*^  to  be  -h  x^  —  y^  .  Otherwise,  let  yi,T/2  €  Tvar{'tp)  be  such  that 
y[  <  Note  that  -  y('^  is  at  least  d(0),  cind  hence,  so  is  y^'  -  yf . 

We  choose  x*^  between  y(  and  y/  at  a  distance  at  le2ist  d{ip')  from  either  of 
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them.  Furthermore,  since  the  difference  between  d(V’)  and  2d{-ip')  is  at  least 
c{4>),  we  can  require  the  modulo-c(^)  congruence  class  of  x^”  to  be  the  same 
as  that  of  .  Now  I"  and  J"  satisfy  the  requirements  listed  above.  Using 
the  inductive  hypothesis,  J"  ^  and  hence,  J'  ij).  The  case  of  universal 
quantification  is  similar.  ■ 

It  follows  that  the  extended  state  sequence  underlying  a  given  interpreta¬ 
tion  for  a  £y-formula  (j>  has  enough  information  for  deciding  the  truth  of  <f>. 
Consequently,  every  formula  (p  can  be  viewed  as  characterizing  a  set  Mj{(j))  of 
satisfying  extended  state  sequences,  instead  of  a  set  of  satisfying  timed  state  se¬ 
quences.  Our  next  task  is  to  show  that  this  set  is  oi-regular.  This  is  achieved  by 
constructing  a  formula  in  the  language  that  is  satisfied  by  the  same  extended 
state  sequences. 

For  instance,  the  extended  state  sequences  that  satisfy  <t>BR  are  the  same  cis 
the  models  of  the  following  formula; 


Vi. 


P(0  >  i. 


9(i)  A 


(  'ik.{i<k<j  - 
{  *  <  ^  <  i 
^  w  k. 


Tdiffoik))  V 
A  Tdiff^{k)  A 
i  <  ^'  <  i  — » 
Tdiffoik^) 


xv 

//. 


Theorem  [Regular  nature  of  the  time  primitives].  Given  a  formula  <f> 
of  C^,  there  exists  a  formula  ip  of  ,  with  additional  time- difference  predicates 
Tdiffo,  •■•Tdiff^^^^  and  time-congruence  predicates  TcongQ,  . . . 
such  that  =  M.[il)).  Furthermore,  if  d>  €  then  ip  Q.  C.  m 

Proof:  Given  an  £^-formula  (p<  we  construct  an  equivalent  (with  respect  to 
extended  state  sequences)  £^-formula  ip  in  four  steps. 

First,  we  eliminate  all  time  quantifiers.  Let  I  be  an  interpretation  for  <p,  and 
t  =  d{(p)-\-c{<p).  We  can  easOy  find  an  interpretation  J  with  the  same  underlying 
extended  state  sequence,  such  that  f^(i)  <  /■^(t  -  1)  -|- 1  for  all  i  >  0.  By  the 
previous  lemma,  we  know  furthermore  that  J  ^  ^  iff  7  ^  Based  on  this 
observation  we  perform  the  following  transformation:  a  subformula  3y.ip{y), 
where  jf  is  a  time  variable,  is  replaced  by  the  disjunction 


V  Ip{k)  V  3iy.  y  i>{f{iy)  +  k), 


Jfc=0 


k=0 


for  a  new  state  variable  iy.  Let  (p'  be  the  formula  obtained  from  (p  by  applving 
the  above  transformation  repeatedly  until  there  are  no  time  quantifiers  left; 
clearly  =  Ad 

The  second  step,  resulting  in  <p",  models  the  primitive  time  arithmetic  of 
comparisons  and  addition  by  constants  by  the  time-difference  predicates.  For 
instance,  consider  the  subformula  f{i)  +  1  <  /(j),  for  state  variables  i  and  j. 
Intuitively,  for  f{i)  to  be  less  than  f{j)  in  any  interpretation,  state  i  has  to 
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precede  state  j,  and  the  time  increase  from  the  previous  state  has  to  be  positive 
for  some  intermediate  state.  Hence,  we  replace  the  subformula  by 

(i  <  j)  A  3k.  {i  <  k  <  j  A  -^Tdiff^){k)). 

Similarly,  f{i)  <  f{j)  and  f{i)  <  f(j)  +  1  can  be  replaced  by 

^k.{j<k<i  ^  Tdiffoik))  {(t>o) 

and 


4>o  V  3k.  [j  <k<i  A  Tdiff^{k)  A  Vib'  ^  Jb.(j  <  ib'  <  2  Tdiffoik'))], 

respectively.  The  generalization  to  subformulas  of  the  form  f{i)  +  c  <  /(;)  and 
f{i)  <  /(i)  +  c,  for  arbitrary  c  >  1,  is  straightforward. 

In  a  third  step,  we  model  the  congruence  primitives  of  0"  with  the  help  of  the 
time-congruence  predicates.  Consider  a  subformula  of  the  form  /(2)  +  c  =d  f{j). 
Since  there  is  only  a  finite  number  of  modulo-c(0)  congruence  classes  to  which 
f{i)  and  f{j)  can  belong,  we  can  use  a  case  analysis  to  express  this  relationship. 
We  replace  the  subformula  by 

d  c{4>)/d  c{<f>)/d 

A:  =  l  k^  =  l  l:'  =  l 

Subformulas  of  the  form  f{i)  =d  c  can  be  handled  similarly. 

Let  be  the  formula  resulting  from  eliminating  all  time  primitives  in  the 
described  way.  The  desired  £^-formula  V'  is  obtained  by  adding,  to  the 
following  conjuncts: 

•  For  every  state  i  >  0,  precisely  one  of  the  time-difference  predicates 
Tdiffo, . . .  Tdiff^^^>^  is  true. 

•  For  every  state  i  >  0,  exactly  one  of  the  time-congruence  predicates 

Tcongo, . . .  is  true. 

•  For  all  2  >  0,  the  congruence  classes  of  i  and  2-1-1,  and  the  time  jump 
f(i  -hi)  —  f{i)  are  related  in  a  consistent  fashion: 

dW  ic(d,)  1  .  A  Tcongt.{t)  \ 

■ 

The  above  theorem,  combined  with  the  earlier  stated  facts  about  gives 
the  following  important  results  regarding  the  decidability  and  expressiveness  of 
the  theory  of  timed  state  sequences. 
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Corollary  [Decidability].  The  validity  problem  for  ike  language  is 
decidable,  m 

Clearly,  the  validity  problem  is  nonelementary  even  for  the  first-order  lan¬ 
guage  as  £  is  a  fragment  of  £r  (recall  that  £  was  shown  to  be  nonelementary 
in  [St74]). 

Corollary  [Expressiveness].  Given  a  formula  <(>  of  £^  with  the  free  pred¬ 
icate  symbols  pi5--*Pn;  ^he  set  characterized  by  an  u-regular 

expression  over  the  alphabet 

rUpi, . .  .p„})  X  {  Tdiffo, . . .  X  {  Tconpo,  •  •  •  Tcong,^^).-,} 

.  Furthermore,  if  (j>  £  Ct  then  can  be  defined  by  a  star-free  u}-regular 

expression,  m 

2A  Undecidable  extensions  and  variants 

Now  we  justify  our  choice  of  (N,  <,=)  as  the  theory  of  time,  by  showing  that 
several  formalisms  for  real-time  reasoning  with  an  expressive  power  greater  than 
that  of  £7’  are  highly  undecidable.  In  [AH89],  we  proved  the  11 J -completeness  of 
certain  syntactic  and  semantic  variants  of  the  real-time  temporal  logic  TPTL. 
Here,  these  results  are  refined,  extended,  and  presented  in  the  framework  of  the 
theory  of  timed  state  sequences. 

Theorem  [Undecidable  theories  of  real  time].  The  following  two-sorted 
first-order  theories  are  Yl\‘Compleie: 


■ 

state  theory 

time  theory 

time  function 
(from  states  to  time) 

1 

(N,<) 

(N,+l) 

/ 

2 

(N,  <)  with 
monadic  predicates 

(N,.2) 

identity  / 

3 

(N,  <)  with 
monadic  predicates 

dense  linear  order  (D, 
with  “successor”  S: 

X  ■<  S(i) 

X  <y-*  S{x)  •<  S(y) 

strictly  monotonic  / 

4 

(N,  <)  with 
monadic  predicates 

(N.+l) 

identity  /  and 
strictly  monotonic 

■ 

Proof:  First,  we  observe  that  the  satisfiability  of  a  formula  4>  can,  in  all 
cases,  be  phrased  as  a  Ej-sentence,  asserting  the  existence  of  a  model  for  4>.  For 
instance,  in  Case  2,  an  interpretation  I  for  <t>  may  be  encoded,  in  first-order  arith¬ 
metic,  by  finitely  many  sets  of  natural  numbers;  say,  one  for  each  unary  predicate 
p  in  characterizing  the  states  for  which  p  holds.  It  is  routine  to  express,  as  a 
first-order  formula,  that  <f>  holds  in  L  In  Case  3,  the  Lowenheim-Skolem  theorem 
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ensures  the  existence  of  countable  models,  and  again,  elementary  arithmetic  can 
be  used  to  encode  (and  decode)  such  models.  Thus  satisfiability  problem  is  in 
E}  in  each  case. 

Now  let  us  prove  Ej-hardness.  The  problem  of  deciding  whether  a  nonde- 
terministic  Turing  machine  has,  over  the  empty  tape,  a  computation  in  which 
the  start  state  is  visited  infinitely  often,  is  known  to  be  Ej-complete  ([HPS83]), 
For  ease  of  encoding,  we  prove  our  results  using  2-counter  machines  instead  of 
Turing  machines. 

A  nondeierminisiic  2-counier  machine  M  consists  of  two  counters  C  and  D, 
and  a  sequence  of  n  instructions,  each  of  which  may  increment  or  decrement 
one  of  the  counters,  or  jump,  conditionally  upon  one  of  the  counters  being  zero. 
After  the  execution  of  a  non-jump  instruction,  M  proceeds  nondeterministically 
to  one  of  two  specified  instructions. 

We  represent  the  configurations  of  Af  by  triples  (/,c,  d),  where  0  <  /  <  n, 
c  >  0,  and  d  >  0  are  the  current  values  of  the  location  counter  and  the  two 
counters  C  and  D,  respectively.  The  consecution  relation  on  configurations 
is  defined  in  the  obvious  way.  A  computation  of  Af  is  an  infinite  sequence 
of  related  configurations,  starting  with  the  initial  configuration  (0,0,0).  It  is 
called  recurring  iff  it  contains  infinitely  many  configurations  with  the  value  of 
the  location  counter  being  0. 

The  problem  of  deciding  whether  a  given  nonde  ter  minis  tic  2-counter  ma¬ 
chine  has  a  recurring  computation,  is  Ej-hard  ([AH89]).  Thus,  to  show  that 
the  satisfiability  problem  of  a  language  is  Ej-hard,  it  suffices,  given  a  nonde- 
terministic  2-counter  machine  Af,  to  construct  a  formula  d>M  such  that  is 
satisfiable  iff  M  has  a  recurring  computation. 

E^ -hardness  of  Case  1:  We  show  that  the  monotonicity  constraint  on  time 
is  necessary  for  the  decidability  of  jCj;  otherwise,  the  time  map  can  be  used  to 
encode  (and  decode)  computations  of  Af.  We  write  a  formula  (f>M  all  of  whose 
models  correspond  to  recurring  computations  of  Af .  A  computation  F  of  Af  is 
encoded  by  the  interpretation  /  iff,  for  all  t  >  0,  /^(3i)  =  /,  /^(3i  -h  1)  =  n  -j-  c, 
and  /^(3i  -h  2)  =  n  -f  d  for  the  i-th  configuration  (/,  c,  d)  of  F. 

First,  specify  the  initial  configuration,  by 

/(O)  =  0  A  /(I)  =  n  A  /(2)  =  n.  {4>init) 

Then  ensure  proper  consecution  by  adding  a  conjunct  for  every  instruction 
0  <  /  <  n  of  Af .  For  instance,  the  instruction  1  that  increments  the  counter  C 
and  proceeds,  nondeterministically,  to  either  instruction  2  or  3,  contributes  the 
conjunct 


Vi. 


/(:)  =  1 


(/(i  +  3)  =  2  V  /(i  +  3)  =  3)  A 
f{i  +  4)  =  f{i  +  1)  +  1  A 
/(i+5)  =  /(i+2) 


(^i) 
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The  recurrence  condition  can  be  expressed  by  the  formula 


Vz.  3;  >  =  0. 


{(I>R£CUr) 


Clearly,  the  conjunction  <t>M  of  these  n  -f  2  formulas  is  satisfiable  iff  M  has  a 
recurring  computation. 

Note  that  4>m  uses  only  the  successor  primitive  over  time,  and  no  unary 
predicates.  Case  1  follows. 

Ej-hardness  of  Case  2:  We  show  that  a  certain  extremely  modest  relaxation 
of  the  timing  constraints  admitted  in  £xj  namely  allowing  the  primitive  of 
multiplication  by  2  over  the  time  domain,  leads  to  Ej-hardness.  This  result 
holds  even  under  the  restriction  that  the  time  function  /  is  the  identity  function; 
that  is,  “time”  acts  merely  as  a  state  counter. 

To  encode  computations  of  M,  we  use  the  unary  predicates 
and  r2.  We  require  that  at  most  one  of  these  predicates  is  true  of  any  state; 
hence  we  may  identify  states  with  predicate  symbols.  The  configuration 
of  M  is  represented  by  the  finite  sequence  of  states  that  starts  with  a  prstate, 
and  contains  precisely  c  ri-states  and  d  r2-states. 

The  initial  configuration  as  weU  as  the  recurrence  condition  can  be  expressed 
easily.  The  crucial  property  that  allows  a  language  to  specify  the  consecution 
relation  of  configurations,  and  thus  the  set  of  computations  of  Af ,  is  the  ability 
to  copy  an  arbitrary  number  of  r-states.  With  the  availability  of  multiplication 
by  2,  we  are  able  to  have  the  i-th  configuration  of  a  computation  correspond, 
for  all  z  >  0,  to  the  finite  sequence  of  states  that  is  mapped  to  the  time  interval 
2»+i).  Then  we  can  copy  groups  of  r-states  by  establishing  a  one-to-one 
correspondence  of  r-states  at  time  t  and  tune  2t;  clearly  there  are  enough  gaps  to 
accommodate  an  additional  r-state  when  required  by  an  increment  instruction. 

For  instance,  the  instruction  1  that  increments  the  counter  C  and  proceeds, 
nondeterministically,  to  either  instruction  2  or  3,  can  be  expressed  as  follows: 


/  [/(j)  =  2/(i)  A  (P2(i)  Vp3(j))]  A 

Vi- 

/(*)  <  m  <  2/(t)  A  r^{j)  ^  1 

A 

3A:.(/(fc)  =  2/(i)  A  ri(*)) 

A 

Pl(t)  - 

2/(*)  <j<  4/(i)  A  ri(j)  A 
Vi.(2/(*)  =  /(i)  -  -’ri(A;))  A 
f  2/(t)</<4/(t)  A 
[  V  3k.{2f(k)  =  f{j')  A 

J  J 

V;. 

/(O  <  fU)  <  2/(i)  A  r2(;) 

A 

3k.if{k)  =  2f(j)  A  T2{k)) 

A 

^v. 

■  2/(i)  <  f{j)  <  4/(i)  A  r2(;) 
3k.(2f{k)=f(j)  A  r2{k)) 

A 


/J 


The  consequent  of  the  implication  ensures  that,  given  the  configuration  of  M 
that  is  encoded  by  the  states  with  times  in  the  interval  li  :  [/(i),  2/(z)),  the 
states  with  times  in  I2  :  [2/(z),  4/(z))  encode  the  configuration  that  results  from 
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executing  instruction  1.  The  first  conjunct  updates  the  location  counter.  The 
second  conjunct  requires  I2  to  contain  at  least  as  many  ri-states  as  7i;  together 
with  the  third  conjunct  it  assures  that  I2  has  precisely  one  ri-state  more  than 
Ji.  The  last  two  conjuncts  together  state  that  the  number  of  r2-states  in  I2  is 
the  same  as  in  7i. 

E^-hardness  of  Case  3:  Now  we  attempt  to  model  time  over  a  dense  domain 
TIME  =  D;  that  is,  between  any  two  given  time  points  there  is  another  time 
point.  We  show  that  even  the  simple  arithmetic  of  linear  order  (:^)  and  addition 
by  a  constant  (5)  leads  to  a  highly  undecidable  theory.  Examples  for  (D,  5) 

are  the  rational  numbers  (Q,  <,  -hi),  and  the  reals. 

As  in  the  previous  case,  we  employ  the  predicates  pi,...pn,  and  T2'-  a 
configuration  (/,  c,  d)  of  M  is  encoded  by  the  state  sequence  The  proof 

depends,  once  more,  on  the  ability  to  copy  groups  of  r-states.  This  time,  we 
are  able  to  have  the  t-th  configuration  of  a  computation  of  M  correspond,  for 
all  i  >  0,  to  the  finite  sequence  of  states  that  is  mapped  to  the  time  interval 
[5‘(0),5‘'^^(0)),  for  some  arbitrary  element  0  G  D,  because  the  denseness  of 
the  domain  allows  us  to  squeeze  arbitrarily  many  states  into  any  non-empty 
interval. 

Since  every  state  has  a  unique  time,  and  we  can  establish  a  one-to-one  cor¬ 
respondence  of  Tj -states  (j  =  1, 2)  at  time  t  and  time  5(t);  the  formula  defining 
the  recurring  computations  of  M  can  be  obtained  from  the  formula  constructed 
in  Case  2,  simply  by  replacing  the  operation  -2  by  S. 

E^-hardness  of  Case  4:  This  case  corresponds  to  having  two  time  bases,  / 
and  that  are  updated,  from  one  state  to  the  next,  independently  of  each 
other.  The  result  holds  edready  for  the  special  case  in  which  /  is  the  identity 
function,  and  f  is  strictly  increasing. 

The  encoding  of  Af -computations  is  very  similar  to  the  one  used  in  Case 
2;  the  i-th  configuration  of  M  corresponds  to  the  sequence  of  2*  states  in  the 
interval  [2*,2*’*‘^).  The  assertion  language  does  not  include  the  primitive  of 
multiplication  by  2,  which  can,  however,  be  simulated  with  the  help  of  the  second 
time  function  f .  We  restrict  ourselves  to  interpretations  in  which  f[i)  =  2i  for 

^  ^  This  condition  is  enforced  by  the  conjunct 

/'(0)  =  0  A  Vi.  (/(i +!)=/'(£) +  2). 

By  replacing,  in  the  formula  constructed  in  Case  2,  every  term  of  the  form  2/(i) 
by  obtain  again  a  formula  encoding  the  recurring  computations  of  M. 

■ 

Let  us  consider  the  implications  of  these  results  on  developing  logics  for 
real-time  systems,  which  justify  our  decisions  in  the  choice  of 

The  fact  that  the  monotonicity  constraint  on  the  time  function  is  required  for 
decidability  (Case  1)  has  little  consequences  in  the  context  of  real-time  logics, 
since  we  are  interested  only  in  monotonic  time  functions  anyway. 
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When  designing  a  real-time  logic  we  need  to  select  an  appropriate  domain  for 
modeling  time.  Ideally,  for  asynchronous  systems,  where  changes  in  the  global 
state  of  the  system  can  be  arbitrarUy  close  in  time,  we  would  like  to  choose 
a  dense  linear  order.  Since  the  ordering  predicate  and  addition  by  constant 
time  values  are  the  basic  primitives  needed  to  express  the  simplest  of  timing 
constraints,  the  undecidability  of  the  resulting  theory  (Case  3)  is  a  major  stum¬ 
bling  block  in  the  design  of  useful  logics  over  dense  time.  For  example,  the 
real-time  (branching-time)  logics  considered  in  [AD90]  and  [Le90]  use  the  set  of 
real  numbers  to  model  time,  and  hence  cire  undecidable. 

Having  constrained  ourselves  to  a  discrete  time  domain,  we  need  to  choose 
the  operations  on  time  admitted  in  the  logic.  While  previous  works  have  used 
addition  as  one  of  the  primitives,  the  above  theorem  (Case  2)  shows  that  it 
introduces  undecidability.  Using  our  results  and  techniques,  we  can  show  the 
undecidability  (in  fact,  Hj-hardness)  of  various  real-time  logics  proposed  earlier, 
such  as  [JM86],  [Os87]  ,  [Ha88],  and  [Ko89],  aU  of  which  include  addition.  In 
[HLP90],  decidability  is  proved  for  a  real-time  logic  with  addition;  this  logic 
puts,  however,  substantial  restrictions  on  the  use  of  time  quantifiers. 

The  real-time  logic  RTL  ([JM86])  can  be  viewed  as  a  two-sorted  logic  with 
multiple  monotonic  functions  from  the  state  sort  to  the  time  sort.  Our  result 
(Case  4)  implies  that  RTL  is  undecidable,  even  if  we  restrict  its  syntax  to  allow 
only  the  successor  primitive  over  time  (RTL  allows  addition  over  time). 

On  the  other  hand,  we  have  shown  that  the  congruence  primitives  over  time 
can  be  added  to  the  language  without  sacrificing  decidability.  Furthermore,  we 
have  proved  decidabilty  for  the  second-order  case  as  well.  Thus  we  claim  that 
the  first-order  theory  of  (N,<)  with  monadic  predicates  (for  state  sequences) 
combined  with  the  theory  of  (N,<,=)  (for  time)  is  the  theory  of  timed  state 
sequences. 

3  Timed  Temporal  Logic:  TPTL 

In  [AH89],  we  introduced  an  extension  of  PTL  that  is  interpreted  over  timed 
state  sequences.  We  developed  a  tableau-based  decision  procedure  and  model¬ 
checking  algorithm  for  this  timed  propositional  temporal  logic  (TPTL),  thus 
demonstrating  its  suitability  for  the  verification  and  synthesis  of  real-time  sys¬ 
tems. 

In  this  section,  we  study  the  expressiveness  of  TPTL.  We  compare  the 
properties  of  timed  state  sequences  expressible  in  TPTL  with  those  expressible 
in  the  underlying  classical  language  TPTL  is  shown  to  correspond  to  an 
expressively  complete  fragment  of  £t;  that  is,  the  set  of  models  of  any  £7.- 
formula  can  be  characterized  by  a  TPTL-formula.  This  result  is  important  as 
it  establishes  TPTL  as  a  sufficiently  expressive  specification  language;  it  shows 
that  the  gains  in  complexity  in  moving  from  the  full  first-order  theory  of  timed 
state  sequences  (nonelementary)  to  TPTL  (doubly  exponential)  are  not  achieved 
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at  the  cost  of  expressive  power. 

We  also  look  at  two  naturcd  extensions  of  TPTL  that  correspond  to  larger 
fragments  of  Lt  and,  therefore,  are  still  decidable.  However,  both  general¬ 
izations  turn  out  to  be  nonelementary,  thus  affirming  our  choice  of  TPTL  as 
verification  formalism.  TPTL  can,  on  the  other  hand,  be  generalized  to  attain 
the  full  expressiveness  of  the  second-order  language  at  no  cost  in  complexity. 

3.1  Syntax  and  semantics 

We  briefly  recall  the  definition  of  TPTL.  This  real-time  temporal  logic  is  ob¬ 
tained  from  PTL  by  adding  a  time  quantifier  “x.”  that  binds  the  associated 
variable  x  to  the  “current”  time:  x.<^(x)  holds  at  state  a,  of  the  timed  state 
sequence  (cr,r)  iff  (^(r(i))  does.  For  example,  in  the  formula  Ox.  <^,  the  time 
reference  x  is  bound  to  the  time  of  the  state  at  which  ^  is  “eventually”  true. 

This  extension  of  PTL  with  references  to  the  times  of  states  admits  the 
addition  of  timing  constraints;  that  is,  atomic  formulas  that  relate  the  times 
of  different  states.  The  formulas  of  TPTL  are  built  from  propositions  and 
timing  constraints  by  connectives,  temporal  operators,  and  time  quantifiers.  For 
instance,  the  typical  bounded  response  property  that  “Every  p-state  is  followed 
by  a  9-state  within  time  1”  can  be  stated  as 

Dx.  (p  Oy.  (9  A  y  <  X  +  1)). 

Let  us  be  more  precise.  Given  a  set  P  of  proposition  symbols  and  a  set  V 
of  variables,  the  terms  tt  and  formulae  ^  of  TPTL  are  inductively  defined  as 
follows: 

•  7r  :=  X  \c\x-^c 

•  ^  P  I  *^1  ^  ^2  I  *^1  7r2  1  false  |  — ♦  ^2  |  I  ^  ^2  I  x-  ^ 

for  x6  V^jPEP,  c>  0,  and  d  >  2.^  Additional  temporal  operators  such  as  O 
{eventually)  and  □  (a/u;ays)  are  defined  in  terms  of  Q  {next)  and  U  {until)  as 
usual. 

The  formulas  of  TPTL  are  interpreted  over  timed  state  sequences.^  The 
timed  state  sequence  p  =  (cr,  r)  satisfies  4>  iff  (p,  0)  4>  for  the  initial  envi¬ 
ronment  Eq:V  ^  where  the  truth  predicate  ^  is  inductively  defined  as 

follows: 

3  TPTL  as  onginaily  defined  in  [AH89]  differs  syntactically  in  that  the  time  quantifiers  are 
coupled  with  the  temporal  opearators.  Observe  that  this  coupling  docs  not  restrict  us  in  any 
essential  way;  by  separating  the  time  quantifier  “i.”  from  the  temporal  operators,  we  admit 
more  formulas  (such  as  D{z.<t>  x.V»)),  for  each  of  which  there  is,  however,  an  equivalent 

formula  in  which  every  quantifier  follows  a  temporal  operator  (Ox.  —  ^)). 

“•in  [AH89],  timed  state  sequences  are  required  to  satisfy  the  two  additional  conditions  of 
tntitaltiy  (x  =  0)  and  progress  (Dx.Oy.y  >  x).  These  requirements  make  sense  for  any  real¬ 
time  specification  language,  but  we  have  just  demonstrated  that  they  arc  expressible  within 
TPTL  itself. 
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•  0  Nf  P  iff  P  €  CTi 

•  l=f  7^1  <  (=c)7r2  iff  5(7ri)  <  (=d)5(7r2), 
for  £(x  +  c)  =  5(x)  +  c  and  £(c)  =  c 

•  (Pj  0  false 

•  (Pj  0  <t>i  iff  (P,  0  l=f  <l>i  implies  (p,  i)  1=^  02 

•  (P:0  Nf  iff  (P,^+  1)  Nf 

•  (PjO  iff  (p,i)  Nf  4>2  for  some  j  >  z,  and 

{p,k)  [=£  01  for  all  z  <  i  j 

•  (P,i)h5  2:.0  iff  (P,i)  l=£:[^(i)/^] 

(Here  E[i/x]  denotes  the  environment  that  agrees  with  £* :  F  — ♦  TIME  on  all 
variables  except  x,  which  is  mapped  to  t  €  TIME.)  Note  that  every  TPTL- 
formula  is  equivalent  to  its  closure,  in  which  aU  free  variables  are  bound  by  a 
prefix  of  time  quantifiers. 

Every  TPTL- formula  0  can  be  translated  into  £7,  while  preserving  the  set 
of  models  A47'(0).  For  every  proposition  p  of  TPTL,  we  have  a  corresponding 
unary  state  predicate  p(z)  of  A  closed  TPTL-formula  0  is  true  over  a  timed 
state  sequence  p  iff  the  jC^-formula  JFb(0)  is  true  over  p,  where  Fi  (for  z  >  0)  is 
inductively  defined  as  follows: 

•  ^i(p)  =  p(0 

•  ^<(^1  <  1^2)  =  ITi  <  ir2,  Fi(Ti  =rf  ir2)  =  Ti  =i  T2 

•  Fi(fal8e)  =  false,  Fi{<i>i  -*  ^2)  =  ^<(<^2) 

•  Fi{0<t>)  =  Fi+i{,t>) 

•  Fi[4>iU  (t>2)  =  3j  >  i.  {Fj{4)2)  /^^i<k<j.  Fk(<f>i)) 

.  Fi{z.4>)  =  Fi(4>)[f{i)/x]. 

(We  write  4>[f{i)/x]  for  the  formula  that  is  obtained  from  4>  by  replacing  all  free 
occurrences  of  x  by  /(z).) 

For  example,  the  bounded  response  property  4>br  is  equivalent  to  its  trans¬ 
lation  Fo(<I>br)- 

Vt  >  0.  (p(i)  -*  3j  >  i.  (q{j)  A  f{j)  <  /(t)  +  1)). 

Note  that  the  mapping  JFo  embeds  TPTL  into  £7;  its  range  constitutes  a 
proper  subset  of  all  well-formed  £7-formulas.  Thus,  just  as  PTL  corresponds 
to  a  subset  of  £,  we  may  view  TPTL  as  a  fragment  of  £7:  quantification  over 
the  state  sort  is  restricted  to  the  “temporal”  way  of  PTL,  while  quantification 
over  the  time  sort  is  prohibited  entirely. 
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3,2  Expressiveness 

In  [AH89]  we  have  shown  that,  in  a  pleasing  analogy  to  PTL  versus  £,  TPTL 
constitutes  in  fact  an  elementary  fragment  of  C^:  the  satisfiability  of  a  given 
TPTL- formula  with  N  logical  and  temporal  connectives,  and  K  as  the  product 
of  its  constants,  can  be  decided  in  time  To  complete  this  analogy,  we 

show  here  that  the  restrictions  imposed  by  TPTL  on  the  quantification  in  £t- 
formulas  do  not  diminish  its  expressive  power.  In  other  words,  any  property  of 
timed  state  sequences  that  can  be  specified  in  £7  can  already  be  specified  in 
TPTL. 

The  natural  embedding  Fq  gives,  for  any  TPTL-formula  an  equivalent 
£7-formula  Fo (</>),  thus  demonstrating  that  £x  is  as  expressive  as  TPTL.  By 
the  following  theorem,  the  converse  is  also  true. 

Theorem  [Expressive  completeness  of  TPTL].  For  every  formula  <t>  of 
£7,  there  exists  a  formula  of  TPTL  such  that  M.T{(t>)  =  ■ 

Proof:  Given  an  £7’-formula  we  construct  an  equivalent  TPTL-formula 
V'  in  four  steps.  By  the  theorem  on  the  regular  nature  of  the  time  primitives 
we  obtain  an  £-formula  <f>\  with  additional  time-difference  predicates  Tdiff^ 
and  time-congruence  predicates  Tcong^,  such  that  M^{4>)  =  M{<f>^).  By  the 
expressive  completeness  of  PTL,  there  is  a  PTL-formula  (p”  such  that  M(^') 
equals  M(<t>*^)  ([GPSS80]). 

We  tieinsform  into  an  equivalent  PTL-formula  such  that  every  time- 
difference  proposition  Tdiff^  is  either  not  within  the  scope  of  any  temporal 
operator,  or  immediately  preceded  by  a  next  operator.  This  can  be  done  by 
repeatedly  rewriting  subformulas  of  the  form  0(<^i  ^2)  and  (piU  <f>2i  to 

0<^i  0<i>2  and  (p2  V  {<i>i  A  (O^i)^  (0</^2))»  respectively. 

Define  the  constants  d(^)  and  c{<t>)  as  in  Section  2.3.  From  we  arrive 
at  V’  by  replacing  every  time-difference  proposition  Tdiff^  that  is  not  within 
the  scope  of  a  temporal  operator  by  x.i  =  t  (and  x.x  >  t,  if  t  =  d(^)),  every 
subformula  Q  Tdiff^  by  x.Qy.  y  =  x  -h  t  (and  x.Qy.  y  >  x  -h  t,  if  t  =  d(<^)),  and 
every  time-congruence  proposition  Tcong^  by  x.x  =c(^)  t*  ■ 

We  conclude  the  discussion  of  properties  expressible  in  TPTL  by  interpreting 
the  logic  over  pure  (“timeless”)  state  sequences,  and  investigating  the  expressive 
power  of  the  congruence  relations. 

3 •2.1  Timeless  expressiveness 

With  every  TPTL-formula  4>  we  can  associate  a  set  of  state  sequences  by  pro¬ 
jecting  the  timed  state  sequences  in  Mx(^).  Given  a  state  sequence  a  and  a 
TPTL-formula  4>^  let  cr  G  Ms{(f>)  iff  there  is  a  time  map  r  such  that  ^  <p. 

Interpreted  in  this  fashion,  TPTL  can  specify  strictly  more  properties  of 
state  sequences  than  PTL.  For  example,  the  property  et;en(p),  that  “p  holds  in 
every  even  state,”  is  not  expressible  in  pure  PTL  ([Wo83]).  In  TPTL,  we  may 
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(ab)use  time  to  identify  the  even  states  as  precisely  those  in  which  the  time  does 
not  increase: 

Oy,  x-y^  ^x^Oy,  (x  =  y  p  A  Qz.  (2  >  y  A  Qu.  u  =  2)). 

The  following  theorem  shows  that  the  expressive  power  of  TPTL  with  respect 
to  state  sequences  is  that  of  the  second-order  language  £^,  or  equivalently,  lo- 
regular  expressions. 

Theorem  [Timeless  expressiveness  of  TPTL].  For  every  formula  4>  of 
TPTL,  there  is  a  formula  tp  of  C?  such  that  Alg(^)  =  and  vice  versa.  ■ 

Proof:  Given  a  TPTL-formula  we  know  how  to  construct  an  equivalent 
^7-formula  <f>\  By  the  theorem  on  the  regular  nature  of  the  time  primitives 
we  obtain  an  £-formula  with  additioned  time-difference  predicates  Tdiff^ 
and  time-congruence  predicates  Tcong^,  such  that  M^{<t>^)  =  The  £^- 

formula  ^  that  binds  all  of  the  new  time  predicates  in  by  an  existential  prefix 
is  easily  seen  to  have  the  desired  models. 

In  order  to  show  the  second  implication,  we  use  a  normal-form  theorem  for 
£^:  given  an  £^-formula  i),  there  is  an  equivalent  £^-formula  of  the  form 
3pi . . .  3pn.  V'i/,  whose  matrix  contains  no  second-order  quantifiers  ([Bu62]). 
We  construct  a  TPTL-formula  <f>  that  characterizes  the  models  of  “0',  by  using 
the  (existentially  quantified)  time  map  to  encode  the  interpretation  of  the  unary 
predicates  (1  <  j  <  n),  which  are  bound  in  0'. 

Assign  to  every  subset  Jt  C  a  unique  code  t  €  TIME.  By  the 

expressive  completeness  of  PTL,  for  some  PTL-formula 

([GPSS80]).  From  we  obtain  <f>  by  replacing  every  proposition  pj, 

1  ^  i  <  by  x.Qy.  V>€  A  y  =  2:  -1- 1.  It  is  straightforward  to  establish  a  one- 
to-many  correspondence  between  the  models  I  =  (o*,?!, . .  pi)  of  0^  and  the 
timed  state  sequences  {a,  r)  satisfying  0:  given  J,  let  r(i  -h  l)  =  r(i)  -f  t  such 
that  Jt  =  {jf  I  pi(i)},  and  given  r,  let  p^j{i)  iff  j  €  JT(i+i)-r(*)  (assume  that 
j  ^  Jt  if  t  is  no  proper  code).  ■ 

It  follows  that  £7,  with  the  time  function  existentially  quantified,  has  the 
full  expressive  power  of  the  second-order  language  £^.  In  fact,  the  proof  given 
above  shows  that  equality  and  successor  over  the  time  sort  are  sufficient  to 
achieve  this  timeless  expressiveness. 

3.2«2  Expressive  power  of  congruences 

If  we  disallow  the  use  of  congruence  relations  in  TPTL,  the  resulting  logic  is 
strictly  less  expressive.  Consider  the  following  formula  0: 

□x.  (x  =2  0  -♦  p). 

It  characterizes  the  timed  state  sequences  in  which  p  is  true  at  all  even  times. 
We  show  that  this  property  is  not  expressible  without  congruence  relations. 
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Suppose  that  the  TPTL-formula  which  does  not  contain  any  congruence 
relations,  were  equivalent  to  4>,  Let  c  be  the  largest  constant  occurring  in  '0.  It 
is  easy  to  convince  yourself  that  cannot  distinguish  between  the  timed  state 
sequences  pi  =  (a,  Ai,  (c  +  1))  and  p2  =  ((T,  Ai.  (c  -f  2)),  for  any  a.  Yet  if  p  is 
continuously  false  in  cr,  only  one  of  pi  and  p2  satisfies  0. 

Note  that  TPTL  without  congruence  relations  has  the  same  expressive  power 
as  the  first-order  language  without  congruences.  However,  as  has  been 
pointed  out  in  the  previous  subsection,  the  congruence  primitives  do  not  affect 
the  “timeless”  expressiveness  of  these  formalisms;  for  example,  we  have  demon¬ 
strated  that  the  property  that  “p  holds  in  every  even  state”  (as  opposed  to  every 
state  with  an  even  time)  can  be  specified  without  congruences. 


3.3  Nonelementary  extensions 

We  have  seen  that  TPTL  restricts  Lj  to  “temporal”  quantification  over  the 
state  sort  and  no  quantification  over  the  time  sort.  Can  we  relax  these  re¬ 
strictions  without  sacrificing  elementary  decidability?  Arbitrary  quantification 
over  the  state  sort  encompasses  full  C  and  is,  therefore,  clearly  nonelementary. 
In  the  following  subsection,  we  study  the  generalization  of  TPTL  that  admits 
quantification  over  the  time  sort,  and  show  it  to  be  nonelementary  as  well. 

Then  we  try  to  add  past  temporal  operators  to  TPTL,  an  extension  that 
does  not  affect  the  complexity  of  pure  PTL.  Therefore  it  is  quite  surprising 
that  the  past  operators  render  TPTL  nonelementary. 

3.3.1  TPTL  with  quantification  over  time 

Several  authors,  such  as  [Os87]  and  [Ha88],  have  proposed  to  use  first-order 
temporal  logic  with  a  single  dynamic  (state)  variable,  T,  that  represents  the 
time  in  every  state,  for  the  specification  of  real-time  properties.  For  instance, 
they  write  our  typical  bounded  response  property  4>br  from  above  essentially  as 

□  Vz.(pAT=x  -♦  0(gAT<z-l-  1)), 

using  auxiliary  rigid  (global)  variables  like  x  to  refer  to  the  time  (i.e.,  the  value 
of  T)  of  different  temporal  contexts. 

Eliminating  the  state  variable  T,  we  see  that  this  notation  corresponds  to 
TPTL  extended  by  classical  universal  and  existential  first-order  quantification 
over  time: 

□y.  Vx.  (p  A  y  =  X  — ►  Oz,  (q  /\  z  <  x  ^  1)). 

We  call  this  generalization  of  TPTL,  whose  syntax  definition  is  supplemented 
by  the  new  clause  “If  0  is  a  formula  and  x  ,  then  5x.0  is  also  a  formula,” 
quantified  TPTL  or  TPTLg.  Given  a  timed  state  sequence  p,  an  index  i  >  0, 
and  an  environment  5,  the  classical  quantifiers  are  interpreted  as  usual: 

(P»^)  Nf  3x.0  iff  (p,  i)  0  for  some  t  €  TIME, 
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TPTLg  seems,  on  the  surface,  more  expressive  than  TPTL,  because  it  can 
state  properties  of  times  that  are  not  associated  with  any  state.  But  it  is  easy 
to  see  that  TPTLg  can  still  be  embedded  into  £t  (let  Fi{3x,4>)  =  Bi.  Px((/>)). 
The  satisfiability  of  TPTLg  is,  therefore,  decidable,  and  its  expressive  power, 
measured  as  the  sets  of  timed  state  sequences  specifiable  in  the  logic,  is  the  same 
as  that  of  TPTL. 

We  show  that  TPTLg  is,  however,  not  elementarily  decidable.  This  provides 
additional  justification  for  our  preference  for  TPTL  over  the  existing  notation 
with  first-order  quantifiers  over  time:  prohibiting  quantification  over  time  not 
only  leads,  as  argued  in  [AH89],  to  a  more  natural  specification  language,  but  is 
necessary  for  the  existence  of  feasible  verification  methods,  such  as  the  tableau 
techniques  for  TPTL. 

Theorem  [Complexity  of  TPTLg].  The  satisfiability  problem  of  TPTLg 
is  nonelementary.  ■ 

Proof:  We  translate  the  nonelementary  monadic  first-order  theory  of  (N,  <) 
([St74])  into  TPTLg:  by  forcing  the  time  to  act  as  a  state  counter  (using 
□x.Qy-  y  =  X  -h  1),  state  quantifiers  can  be  simulated  by  the  time  quantifiers  of 
TPTLg. 

Given  a  formula  4>  of  £,  we  construct  a  formula  V'  of  TPTLg  such  that  <!> 
is  satisfiable  iff  the  conjunction  of  and  Ox.Qy.y  =  i  -f  1  is  satisfiable.  The 
formula  *0  is  obtained  from  0  by  replacing  every  atomic  subformuia  of  ..le  form 
p{i)  by  Ox.  (p  A  X  =  i)  (read  the  quantifiers  of  0  as  quantifiers  over  the  time 
sort).  ■ 

3.3.2  TPTL  with  past 

In  [LPZ85],  PTL  is  extended  with  the  past  temporal  operators  ©  [previous) 
and  5  (jincc),  the  duals  of  ©  These  operators  can  be  added  at  no  extra 

cost,  and  although  they  do  not  increase  the  expressive  power  of  PTL,  they  allow 
a  more  direct  and  convenient  expression  of  certain  properties. 

Let  TPTLp  be  the  logic  that  results  from  TPTL  by  adding  the  following 
clause  to  the  inductive  definition  of  formulas  :  “If  0i  and  02  are  formulets,  then 
so  are  00i  and  0i  5  02.”  The  meaning  of  the  past  operators  is  given  by 

•  (p>*)  'f-£Q4>  iff  »  =  0  or  (p>t  -  1)  Nf  <t>,  and 

.  {p,i)  <j>i  S  <i>2  iff  (p,  i)  \=£  (f>2  for  some  j  <  i  and 
(p,  k)  for  all  j  <  A:  <  :. 

Clearly,  TPTL/>  can  still  be  embedded  into  £7: 

•  ^o(©<^)  =  true,  F,+i(Q4)  =  Fi(<p) 

.  Ft{<t>i  S <f>2)  =  3j  <  i.  {Fj{<i>2)  A  Vj  <  A:  <  i.  Ffc((^i)). 
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Hence  the  satisfiability  of  this  logic  is,  again,  decidable,  and  its  expressive  power 
is  no  greater  than  that  of  TPTL. 

However,  unlike  in  the  case  of  PTL,  there  is  a  surprisingly  heavy  price  to  be 
paid  for  adding  the  past  operators. 

Theorem  [Complexity  of  TPTLp].  The  saiisfiabiliiy  problem  of  TPTLp 
15  nonelementary.  m 

Proof:  Again,  we  are  able  to  use  the  nonelementary  nature  of  the  monadic 
first-order  theory  of  (N,  <).  By  adopting  time  as  a  state  counter,  we  can  simulate 
true  existential  quantification  over  time  by  O,  because^  allows  us  to  restore  the 
correct  temporal  context. 

Given  a  formula  of  £,  we  construct  a  formula  ^  of  TPTLp  such  that  4>  is 
satisfiable  iff  the  conjunction  of  tp  and  Dx-Oy-  2/  =  x  +  1  is  satisfiable.  The  first 
step  in  translating  <p  is  the  same  as  in  the  proof  of  the  nonelementary  complexity 
of  TPTLg.  In  a  second  step  we  replace  every  subformula  of  the  form  3x.  (p  by 
y.  (Ox.<3>2.  (2  =  y  a  V?)  V<$>x.  O2.  (2  =  y  A  <p)).  ■ 


3.4  Timed  ETL 

PTL  does  not  have  the  full  expressive  power  of  the  second-order  language  £^; 
recall  that  the  property  cveTi(p),  that  “p  is  true  in  every  even  state,” 

3q.  [9(0)  A  Vi.  (9(1)  — ►  p(i)  A  -.9(1  -h  1)  A  q{i  -h  2))] , 

is  not  expressible  in  PTL  ([Wo83]).  That  is  why  Wolper  has  defined  extended 
temporal  logic  (ETL),  which  includes  a  temporal  operator  for  every  right-linear 
grammar.  ETL  has  the  same  expressiveness  as  £^,  or  equivalently,  w-regular 
expressions,  and  yet  a  singly  exponential  decision  procedure. 

The  situation  for  TPTL  is  similar:  there  is  no  TPTL-formula  whose  models 
are  precisely  the  timed  state  sequences  in  which,  independent  of  the  time  map, 
p  holds  at  every  even  state. 

Suppose  there  were  such  a  formula  we  show  that  this  would  imply  the 
expressibility  of  even{jp)  in  £.  First  construct  an  £-formula  <P^  that  is  equivalent 
to  (f>  and  contains  the  additional  time-difference  and  time-congruence  predicates 
Tdifft  and  Tcong^^  as  usual.  Then  replace,  in  0',  all  occurrences  of  Tdiff^  and 
Tcong^  by  true  or  false  depending  on  whether  t  =  0,  This  simplification  does 
not  affect  the  truth  of  the  formula  over  interpretations  all  of  whose  times  are 
permanently  0.  Thus,  the  resulting  formula  rp  is  satisfied  by  a  state  sequence  <7 
iff  (a,  Ai.  0)  €  that  is,  iff  p  is  true  in  every  even  state  of  a. 

However,  analogously  to  PTL,  we  are  able  to  generalize  TPTL  to  timed 
extended  temporal  logic,  TETL,  by  introducing  temporal  grammar  operators. 
TETL  is  shown  to  have  the  fuD  expressive  power  of  £j,  while  being  no  more 
expensive  than  TPTL. 
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3.4.1  Syntax  and  semantics 


Given  a  set  P  of  propositions  symbols  and  a  set  V  of  variables,  the  terms  of 
TETL  are  the  same  as  in  TPTL.  The  formulas  of  TETL  are  inductively  defined 
as  follows: 


</)  :=  p  I  TTi  <  ?r2  I  TTi  =d  TTj  I  false  |  0l  <^2  I  •  •  •  0m)  I  X.  0 

where  x  E  V',  p  €  P,  d  >  2,  and  Q[ai, . . .  0^)  is  a  right-linear  grammar  with  the 
m  terminal  symbols  oi, . .  .Om-^ 

As  with  TPTL,  TETL-formulas  are  interpreted  over  timed  state  sequences. 
Given  a  timed  state  sequence  p,  an  index  i  >  0,  and  an  environment  the 
semantics  of  the  grammar  operators  is  defined  by  the  following  clause: 

(p,  i)  ^(01,  ‘ .  0m)  iff  there  is  a  (possibly  infinite)  word 
w  =  a^^Oyi^CLy,^ . . .  generated  by  Q{ax, . .  .0^,1)  such  that 
{py  i  4-  j)  \=£  0ti;,  for  all  j  >  0. 

All  temporal  operators  of  TPTL  are  expressible  by  the  grammar  operators  of 
TETL;  for  example,  the  TPTL-operator  □  corresponds  to  the  grammar  Qo{a) 
with  the  only  production  Goia)  — >  aGa{ci)  (we  identify  grammars  with  their 
starting  nonterminal  symbols).  The  formula  even(p),  which  is  not  expressible 
in  TPTL,  can  be  stated  as  (true,  p),  for  the  production 

G  even  (01,02)  -♦  0102^  even  (01,02). 


3.4.2  Complexity 

By  putting  together  the  tableau  methods  for  ETL  ([Wo83])  and  TPTL  ([AH89]), 
we  develop  a  doubly-exponential-time  decision  procedure  for  TETL.  This  pro¬ 
cedure  is  near-optimal;  we  go  on  to  show  the  satisfiability  problem  for  TETL  to 
be  EXPSPACE-complete. 

Our  presentation  follows  [AH89]  closely.®  For  the  sake  of  keeping  the  presen¬ 
tation  simple,  we  assume  that  all  grammar  operators  correspond  to  productions 
of  the  form 

^(ai, . .  .Om)  — ►  Oij  I  Oi^G  (uj, , . .  .Oj^). 

Furthermore,  all  TETL-formulas  contain  a  single  free  variable,  T  (which  refers 
to  the  initial  time),  and  only  timing  assertions  of  the  forms  x<3/-fc,  x  +  c<y, 
and  X  y  -h  c,  for  d  >  c  >  0.  This  can  be  achieved  by  renaming  of  variables, 
and  easy  simplifications. 

*Likc  ETL,  TETL  can  alternatively  be  defined  using  automata  connectives  for  all  Biichi- 
automata,  instead  of  grammar  operators  ([WVS83]). 

®The  careful  reader  may  have  noticed  that  we  use,  throughout,  time-difference  propositions 
TdxSx  that  indicate  the  time  increase  t  from  the  predecessor  states,  as  opposed  to  [AH  89], 
where  these  propositions  represent  the  time  difference  to  the  successor  states.  This  is  nec¬ 
essary,  because  we  have  relaxed  the  xniixaliiy  condition  r(0)  =;  0  on  timed  state  sequences 
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As  with  TPTL,  for  checking  the  satisfiability  of  a  given  TETL-formula 
we  may  restrict  ourselves  to  timed  state  sequences  p  =  (cr,  r)  all  of  whose  time 
steps  r(i  -h  1)  —  r(2),  z  >  0,  are  bounded  by  the  product  K  of  all  constants 
occurring  in  ^  (a  constant  c  >  0  occurs  in  (p  ifi  <j>  contains  a  subformula  of  the 
form  a;  <  1/  -f  (c  —  1)  or  X  +  (c  —  1)  <  y,  or  the  predicate  symbol  =c).  The  time 
information  in  p  has,  therefore,  finite-state  character;  it  can  be  modeled  by  the 
new  propositions  Tdiff^^  0  £  i  £  -S')  representing  the  time  differences  t  between 
successive  states. 

This  allows  us  to  modify  the  tableau-based  decision  procedure  for  ETL 
([Wo83]),  to  handle  formulas  with  time  references.  It  is,  in  fact,  included  in 
our  procedure  as  the  special  case  in  which  4>  contains  no  timing  constraints. 

The  key  observation  underlying  all  tableau  methods  for  temporal  logics  is 
that  any  formula  can  be  split  into  two  conditions:  a  present  requirement  on  the 
initial  state  and  a  future  requirement  on  the  rest  of  the  model.  For  example, 
the  eventuality  04>  can  be  satisfied  by  either  <(>  or  QOp  being  true  in  the  initial 
state. 

In  order  to  propagate  the  requirement  on  the  successor  state  properly,  all 
timing  constraints  need  to  be  updated  to  account  for  the  time  increase  t  from 
the  initial  state  to  its  successor.  Consider  the  formula  Q(t>{T),  and  recall  that 
the  free  occurrences  of  T  are  references  to  the  initial  time.  This  condition  is 
true  in  the  initial  state  iff  the  next  state  satisfies  the  updated  formula  (t>{T  —  t). 

If  the  number  of  conditions  generated  in  this  way  is  finite,  checking  for  satis¬ 
fiability  is  reducible  to  checking  for  satisfiability  in  a  finite  structure,  the  initial 
tableau.  For  t  >  0,  a  naive  replacement  of  T  by  T  —  f  would,  however,  succes¬ 
sively  generate  infinitely  many  new  formulas.  Fortunately,  the  monotoniciiy  of 
time  can  be  exploited  to  keep  the  tableau  finite;  the  observation  that  x  is  always 
instantiated,  in  the  future,”  to  a  value  greater  than  or  equal  to  T,  allows  us 
to  simplify  timing  assertions  of  the  form  T  <  x  -h  c  and  x  -f  c  <  T  to  true  and 
false,  respectively. 

We  define,  therefore,  the  formula  that  results  from  updating  all  time 
references  T  in  <t>y  inductively  as  follows:  =  p;  and  is  obtained  from 

(p^  by  replacing  all  terms  of  the  form  T  -f  c  (for  c  >  0)  by  T  -f  (c  -  1),  and  all 
subformulas  of  the  form  r<x-hc,  x-l-c<T,  and  T  =d  x  -h  c  (for  c  >  0)  by 
true,  false,  and  T  x  -f  ((c  +  1)  mod  d),  respectively. 

Now  let  us  collect  all  conditions  that  may  arise  by  recursively  splitting  a 
formula  into  its  present  and  future  parts.  The  closure  Cl{<p)  of  a  TETL-formula 
<p  is  the  smadlest  set  containing  <p  that  is  closed  under  the  following  operation 
Sub: 

•  Sub{^i  \p2)  = 

•  Su4(OV')  =  I  0  <  t  <  if} 

•  Su6(g(V>l,...V’m))  = 
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•  Sub{x.'4}[x))  —  {'{p[T)'}. 

Let  N  be  the  number  of  connectives,  quantifiers,  and  grammar  operators  in  <i>, 
where  every  grammar  operator  is  counted  as  the  number  of  nonterminal  symbols 
in  the  corresponding  grammar.  By  induction  on  the  structure  of  it  can  be 
shown  that  |C/((^)|  <  IN  K. 

Tableaux  for  TETL  are  finite,  directed  state  graphs  (Kripke  structures)  with 
local  and  global  consistency  constraints  on  all  states.  The  states  are  represented 
by  consistent  sets  of  formulas  that  are  closed  under  “subformulas, ”  expressing 
conditions  on  the  current  state  and  the  successor  states.  Every  state  contains, 
in  addition,  a  proposition  Tdiff^,  ^  ^  which  denotes  the  time  difference 

to  the  predecessor  states. 

Formally,  we  define  the  states  cts  the  maximally  consistent  subsets  of  the 
finite  universe 

cr{(f>)  =  ci{(i>)  u{Tdiff,  1 0  <  t  <  if} 

of  TETL-formulas.  The  set  ^  C  is  (maximally)  consistent  iff  it  satisfies 

the  following  conditions  (where  all  formulas  range  only  over  Cr {<(>)): 

•  Tdifff^  G  #  for  precisely  one  t  with  0  <t  <  K;  this  t  G  TIME  is  referred 
to  as  Lastdiff(^). 

•  false  ^ 

•  »  ^2  €  ^  iff  either  V'l  ^  ^  or  V^2  € 

•  5(V'ii  •  •  •  ^m)  €  #  iff  either  G  or  both  V'ia  €  #  and 

•  X.  ‘0(x)  G  $  iff  i>[T)  G 

•  T'^T-hcG^iffO^c  holds  in  N  (for  --  one  of  <,  >,  =a,  or  its  negation). 

Now  we  are  ready  to  define  the  initial  tableau  in  a  way  that  ensures  the 
global  consistency  of  both  temporal  and  real-time  constraints  as  well.  The  initial 
tableau  T{4>)  for  the  TETL-formula  is  a  directed  graph  whose  vertices  are  the 
consistent  subsets  of  C7"(^),  and  which  contains  an  edge  from  ^  to  ^  iff,  for  all 
0-0  €  Cl[4>), 

iff 


The  significance  of  the  (finite)  initial  tableau  T((f>)  for  the  formula  4>  is  that 
every  model  of  4>  corresponds  to  an  infinite  path  through  T{4>)  along  which 
all  eventUcJities  are  satisfied  (“fulfiUable”)  in  time,  and  vice  versa.  An  even¬ 
tuality  -'^(V'l,..  .“^m)  is  called  fulfillable  along  the  finite  path  iff 

either  V'la  ^  or  k  >  1  and  “'^'(V'ii » ♦  •  • is  fulfillable  along 
.  .  ijt.  By  combining  the  corresponding  arguments  for  ETL  and  TPTL, 
it  can  be  shown  that  a  TETL-formula  <l>  is  satisfiable  iff  T(<l>)  contains  an  infinite 
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path  -  such  that  ^  €  'i'o  and,  for  every  i  >  0,  . .  .rp„^)  £ 

implies  that  . . .  iprn)  is  fulfillable  along  ...^k  for  some  k  >  i. 

This  result  suggests  a  decision  procedure  for  TETL:  construct  the  initial 
tableau,  and  employ  the  usual,  polynomial  techniques  for  checking  whether  the 
tableau  contains  an  infinite  path  along  which  all  eventualities  are  satisfied.  Since 
the  initial  tableau  contains  0{K  ■  2^'^)  states,  each  of  size  0{N  K),  can 
be  constructed  and  checked  for  infinite  paths  in  deterministic  time  exponential 
mO{NK). 

Theorem  [Deciding  TETL].  The  satisfiability  of  a  TETL-formula  4>  ts 
decidable  in  deterministic  time  exponential  in  0{N  K),  where  N  is  the  number 
of  connectives,  quantifiers,  and  grammar  operators  in  4>,  and  K  is  the  product 
of  all  constants  occurring  in  (j)  ( recall  that  every  grammar  operator  is  counted 
as  the  number  of  nonterminal  symbols  in  the  corresponding  grammar).  ■ 

Note  that  the  length  I  of  a  formula  whose  constants  are  represented  in 
binary,  is  0(N  +  log  K).  So  we  have  a  decision  procedure  for  TETL  that  is 
doubly  exponential  in  L  (although  only  singly  exponential  in  N,  the  “untimed” 
part,  and  thus,  singly  exponential  for  ETL). 

The  algorithm  outlined  here  may  be  improved  along  the  lines  of  [Wo83]  to 
avoid  the  construction  of  the  entire  initial  tableau.  This  does  not,  however,  lower 
the  doubly  exponential  deterministic-time  bound;  in  fact,  TETL  is  EXPSPACE- 
hard. 

Theorem  [Complexity  of  TETL).  The  satisfiabUity  problem  of  TETL  is 
EXPSPACE-complete.  m  J 

Proof:  To  show  that  TETL  is  in  EXPSPACE,  we  follow  the  argument  that 
PSPACE,  which  develops  a  nondeterministic  version  of  the  tableau 
decision  procedure  and  then  applies  Savitch’s  theorem  ([Wo83]).  EXPSPACE 
hardness  follows  immediately  from  the  corresponding  residt  for  TPTL  ([AH89]). 


3.4.3  Expressiveness 

.^though  TETL  is  no  harder  than  TPTL,  we  have  demonstrated  that  its  expres¬ 
siveness  is  strictly  greater,  by  specifying  the  property  even(p).  The  following 
theorem  characterizes  the  expressiveness  of  TETL  as  equivalent  to  the  second- 
order  language  C.\ . 

Theorem  [Expressiveness  of  TETL].  For  every  formula  4>  of  TETL, 
there  exists  a  formula  xl>  of  such  that  Mrid)  =  MtW,  and  vice  versa,  m  ' 
Proof:  We  extend  the  translation  Fq  that  embeds  TPTL  into  Ct  to  ac¬ 
commodate  the  grammar  operators  of  TETL;  the  target  formulas  wiU  contain 
second-order  quantifiers  over  unary  predicates,  and  thus  belong  to 

Again,  assume  that  all  grammar  operators  correspond  to  productions  of  the 
form 
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We  add  the  following  clause  to  the  definition  of  Fk  (k  >  0): 

■4>m))  =  3pg_^.-.3pg^.  {pg  {k)  A  \/k’ >  k.  /\  (pg^ik')) 

0<1<M 

for  some  new  unary  predicate  symbols  where  Go,--Qm  are  all 

the  nonterminal  symbols  occurring  in  the  grammar  Qo(ai, . .  .Om),  and  (i>g(k) 
stands  for  the  £y-formula 

pg{k)  -*  Fk{(l>i,)  V  iFk{(pi,)  A  pg'{k-{-  1)). 

Consider  an  arbitrary  timed  state  sequence  p.  We  show,  by  induction  on  the 
structure  of  0,  that  (p,  A)  <f>  iff  (pjk)  )=£  Fk{(t>)  for  all  k.>  0  and  environ¬ 
ments  £. 

The  crucial  case  that  ^  has  the  form  •  ^m)  is  derived  as  follows. 

To  establish  the  existence  of  appropriate  predicates  pg^  (0  <  ^  let  pg 

be  true  in  state  A'  >  i  iff  (p,  A')  Gi{<f>ii  •  •  •  ^m)-  On  the  other  hand,  given 
the  predicates  pg^  satisfying  (i>g^{k^)  for  all  A;'  >  1:,  we  can  construct  a  word 
^  . . .  generated  by  ^o(ai, . . . o^n)  such  that  (p,A;')  \=£ 

It  follows  that,  for  any  TETL-formula  the  £|T-formula  Fo{<l>)  is  equivalent 
to  (f>.  The  argument  for  the  expressive  completeness  of  TETL  with  respect  to  £^ 
is  analogous  to  the  corresponding  proof  for  TPTL  and  Cr  (use  the  expressive 
completeness  of  ETL  with  respect  to  £^).  ■ 

Let  us  complete  the  expressibility  picture  by  a  few  remarks.  The  timeless 
expressiveness  of  TETL  is  clearly  again  that  of  the  second-order  language  £^, 
and  thus  no  more  than  that  of  TPTL.  It  is  also  immediate  that  the  Congruence 
relations  contribute  even  to  the  expressive  power  of  TETL  (and  £j )  in  a  non¬ 
trivial  way;  the  property  that  p  is  true  at  all  even  times  is  still  not  expressible 
without  congruence  relations. 

3.4.4  TPTL  with  quantification  over  propositions 

There  are  several  alternatives  to  the  grammar  operators  of  ETL.  PTL  can  be 
extended  by  fixed-point  operators  (obtadning  a  variant  of  the  propositional  /x- 
calculus  of  [Ko82])  or  second-order  quantification  over  propositions  (QPTL  of 
[Si83])  in  order  to  achieve  the  full  expressive  power  of  £^.  While  fixed-points 
can  be  viewed  as  generalized  grammar  operators  and  yield  to  tableau  methods, 
QPTL  is  nonelementary. 

It  is  straightforward  to  show  that  both  extensions  have,  indeed,  the  ex¬ 
pected,  analogous  effect  in  the  TPTL-framework;  they  give  decidable  real-time 
specification  languages  with  the  expressiveness  of  £^.  However,  timed  QPTL 
is,  as  a  superset  of  QPTL,  nonelementary,  and  thus  unsuitable  as  a  verification 
formalism. 
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4  Metric  Temporal  Logic:  MTL 

Several  authors  have  tried  to  adapt  temporal  logic  to  reason  about  real-time 
properties  by  interpreting  its  modalities  as  bounded  operators.  For  example, 
[Ko89]  suggests  the  notation  0<c  to  express  “eventually  within  time  c,”  Similar 
temporal  operators  that  are  subscripted  with  constant  bounds  are  used  in  [Ha88j 
and  [EMSS89]. 

In  this  section,  we  extend  PTL  by  such  bounded  tempor2J  operators  and 
interpret  the  resulting  logic  over  timed  state  sequences.  For  example,  the  typical 
bounded  response  property  that  “Every  p-state  is  followed  by  a  9-state  within 
time  1”  will  be  written  as  □(p  — >  0<i9). 

It  is  easy  to  see  that  we  have,  in  fact,  only  obtained  a  notational  variant  of 
a  subset  of  TPTL  (rewrite  every  subformula  0<c  4>  as  x.  Oy,  (y  <  x  -h  c  A  4>)), 

We  show  that  this  formeilism  is  interesting,  and  worth  studying  in  its  own 
right,  for  two  reasons.  First,  and  surprisingly,  it  is  already  as  expressive  as  full 
TPTL.  And  secondly,  it  may,  unlike  full  TPTL,  be  enriched  by  past  operators, 
thus  resulting  in  what  we  call  (following  [Ko89])  metric  temporal  logic  (MTL), 
without  sacrificing  its  elementary  decidability. 

Hence  we  are  able  to  conclude  that  MTL  represents,  again,  a  suitable  spec¬ 
ification  and  verification  formalism:  just  like  TPTL,  MTL  corresponds  to  an 
expressively  complete  and  yet  elementary  fragment  of  Ct  with  a  tableau-based 
decision  procedure.  But  the  two  subsets  of  Ct  corresponding  to  TPTL  and 
MTL,  respectively,  are  not  identical;  either  one  of  them  can  state  certain  prop¬ 
erties  more  directly  and  succinctly  than  the  other  one,  and  may  therefore  be 
preferred  for  some  specifications. 

4.1  Syntax  and  semantics 

Given  a  set  of  propositions  P,  the  formulas  <f>  of  MTL  are  defined  inductively 
as  follows  : 

4>~p\  false  I  ,^1  ^2  I  1 I  4>\U-c  <t>2  I  <f>l  <t>2 

for  p  €  P,  -  being  one  of  <,  =,  >,  or  =d,  and  c  >  0,  d  >  2.  The  defined 
operators  and  stand  for  truef^^c^  and  respectively; 

other  abbreviations  include  0>c4>  (for  0=<.  tf>  V  0^c<i>)  and  unbounded  O  (for 
O>o). 

The  formulas  of  MTL  are  interpreted  over  timed  state  sequences.  Instead  of 
giving  MTL  its  own  semantics,  we  translate  any  MTL-formula  ^  into  a  TPTLp- 
formula  G(^)  (let  ~  stand  for  <,  >,  or  =): 

•  G(p)  =  p 

•  G(false)  =  false,  G{4>i  — *  (l>2)  =  G{<pi)  -*  G(<f>2) 

•  <^(0-.c  =  ^-Oy-  (y  X  +  c  A  4>),  G(0=„c  <^)  =  Oy-  (2/  =d  c  a  (j>) 
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•  <j(©~c  4>)  =  I- ©2/-  (l  ~  1/  +  c  A  (f)),  (^)  =  Qy.  (y  =rf  C  A  (^) 

•  G((^i U^c  4>2)  =  c  f\  (f>2)) 

•  G{<i>i <f>2)  =  <Piliy-{y=dc  A  (t>2) 

•  G{4>1  S^c  4>2)  =  X.  ((I>1  S y.  {x  y  +  c  A  (^2)) 

•  G(<I>1  S=^c  4>2)  =  4>\Sy.{y=dC  A  <^2)- 

Note  that  0=3  p  holds  in  a  state  if  p  is  true  in  some  future  state  whose  time  is 
3  greater  than  the  current  time.  However,  0=31  p  holds  in  a  state  if  p  is  true 
in  some  future  state  whose  time  is  odd;  the  congruence  subscripts  refer  to  the 
absolute  times  of  states. 

It  follows  that  both  TPTL  and  MTL  are  orthogonal  fragments  of  TPTLp 
and,  hence,  while  TPTL  prohibits  past  operators,  MTL  corresponds  to  a 
subset  of  TPTLp  wherein  all  timing  constraints  relate  only  variables  that  refer 
to  “adjacent”  temporal  contexts. 


4.2  Complexity 

We  show  that  the  satisfiability  problem  of  MTL  is  much  simpler  than  the  corre¬ 
sponding  non  elementary  problem  of  full  TPTLp,  by  generalking  the  standard 
tableau-decision  procedure  for  PTL  ([BMP81])  to  MTL. 

The  tableau  algorithm  for  MTL  uses  the  techniques  developed  for  TPTL 
in  [AH89].  The  crucial  property  that  guarantees  the  finiteness  of  the  tableau 
being  constructed  is  that,  in  both  cases,  the  temporal  precedence  between  any 
two  temporal  contexts  related  by  a  timing  constraint  is  uniquely  determined. 
Before  giving  a  formal  definition,  we  indicate  first  how  the  algorithm  proceeds 
for  a  sample  input. 

Suppose  that  the  time  increases  by  one  unit  from  a  state  to  its  successor  (in 
general,  the  time  increase  between  states  can  be  bounded  for  any  given  formula, 
and  thus  reduced  to  a  finite  number  of  different  cases).  In  order  to  satisfy,  say, 
0<c  ^  in  the  current  state,  we  have  to  satisfy  cither  <f>  now,  or  0<c-i  ^  in  the 
succeeding  state.  Continuing  this  splitting  of  requirements  into  a  present  and  a 
future  part,  we  will  eventually  arrive  at  0<i  forcing  ^  to  be  satisfied  in  the 
current  state. 

Since  every  input  formula  rp  generates  only  a  finite  number  of  requirements 
on  states  in  the  described  fashion,  ‘tp  is  satisfiable  iff  it  is  satisfiable  in  a  finite 
tableau.  By  bounding  the  maximal  size  of  this  tableau,  we  obtain  the  following 
result. 

Theorem  [Deciding  MTL].  The  satisfiability  of  an  MTL-formula  (p  can  be 
decided  in  deterministic  time  exponential  in  0[C  •  N),  where  N  is  the  number 
of  propositional  and  temporal  connectives  in  <p,  and  C  —  I  is  the  largest  constant 
occurring,  as  a  subscript,  in  p.  m 
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Proof:  Throughout,  let  stand  for  <,  >,  or  =.  Define  the  closure  Cl{<f>) 
of  the  MTL-formula  4>  to  be  the  smallest  set  containing  <j>  that  is  closed  under 
the  following  operation  Suh: 

•  i)2)  = 

•  Suh[0^c'^)  -  W 

•  Suh{Q^^  i))  =  {rp} 

•  Sub(lpiU^ci^2)  =  {V’l,V^2,0(^l^V'2)}U{0(V'l^-c' V'2)  I  0  <  c'  <  c} 

•  Sub{7pi  i>2)  =  V^2i  0{i>l  ^2)} 

•  Sub{lpi  S^c  “02)  =  {01,  02,0(01  ^  02)}  U  {0(01  02)  1  0  <  c'  <  c} 

•  5li^(0i  5=^c  02)  =  {01,  02,0(01  02)}- 

If  C  - 1  is  the  largest  constant  occurring  in  0,  and  N  is  the  number  of  connectives 
(propositional  and  temporal)  in  0,  then  |C/(0)|  <  2C*N. 

As  in  TPTL,  for  checking  the  satisfiability  of  0,  we  may  restrict  ourselves 
to  timed  state  sequences  p  =  (cr,r)  all  of  whose  time  steps  r(i  -f  1)  —  r(i), 
i  >  0,  are  bounded  by  the  product  JC  of  zJl  constants  occurring,  as  subscripts, 
in  0  (count  a  subscript  of  the  form  =d  c  as  d).  The  time  information  in  p 
has,  therefore,  finite-state  character;  it  can  be  modeled  by  the  new  propositions 
Tdiff^  and  Tcong^f,  0  <  t  <  if  and  0  <  t'  <  if ,  representing,  in  any  state,  the 
time  difference  t  from  the  predecessor  state  and  the  remednder  t'  modulo  K  of 
the  current  time.  For  case  of  presentation  we  use,  in  addition,  the  propositions 
Tdiff[^  0  <  t  <  if ,  to  represent  the  time  difference  t  to  the  successor  state. 

Let  C/"(0)  denote  the  set  obtained  from  C/(0)  by  adding  the  new  proposi¬ 
tions  Tdiff^,  Tdiff[,  and  Tcong^,  A  subset  $  of  CZ"(0)  is  called  (maximally) 
consistent  iff  it  satisfies  the  following  conditions  (where  all  formulas  range  only 
over  the  finite  set  Cr(0)): 

•  Tdiff^  €  $  for  exactly  one  t  with  0  <  t  <  if;  this  t  €  TIME  is  referred  to 
as  Lastdiff{i). 

•  Tdiff[  €  $  for  exactly  one  t  with  0  <  t  <  if;  this  t  €  TIME  is  referred  to 
as  Nextdiff{^), 

•  Tcong^  G  $  for  exactly  one  t  with  1  <  f  <  if;  this  t  €  TIME  is  referred 
to  as  Congclass{^). 

•  false  ^ 

•  ^2  €  ^  iff  cither  0i  ^  $  or  02  € 

•  0i^=c02  €  #  iff  either  c  =  0  and  02  €  or  0i  €  Nextdiff{^)  <  c, 
and  O(0ii^=:c-jvcxtdtjer(^)02)  € 
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•  G  #  iff  c  >  0,  and  either  ip2  ^  or  V»i  €  Nezidiff^^)  <  c, 
and  0(V’i^<c-jVexfdijgf(^)  V’2)  € 

•  V'l  ^>c  V^2  G  iff  G  and  either  Nezidiff{^)  <  c  and 
0(V^1^>C  -Ntxtdiff{i)  'Pi)  €  §,  or  Nexidiff{i)  >  c  and  Oi'Pi^'Pi)  € 

•  'Pi^=ic'p2  6  iff  either  Conpcia55($)  =d  c  and  ^>2  €  #,  or  V"!  €  #  and 
0{'PiU=ic'l>2)  €  4>. 

Similar  conditions  are  put  on  the  <S-fbrmulas  in  to  ensure  their  consistency 
with  Lastdiff{^). 

The  initial  tableau  ‘T{jp)  for  the  MTL-formula  ^  is  a  directed  graph  whose 
vertices  are  the  consistent  subsets  of  Cl  {<!>),  and  which  contains  an  edge  from 
$  to  iff  all  of  the  following  conditions  are  met: 

•  Neztdiff{^)  =  Lastdiff{'i). 

•  Congclass{^)  =k  Congclass{^)  +  Nextdiff{^). 

•  For  all  O-c  'P  €  Cl{4>),  Q^c  t/'  €  #  iff  V-  €  «  and  Nextdiff{ii)  ~  c. 

•  For  all  0=^c  'P  €  Cl{<P),  0=,c  V-  €  #  iff  V-  €  $  and  Congclass('<il)  =d  c. 

•  For  all  ^p  €  C/(^),  ©^^  V  €  iff  V-  €  #  and  Nextdiff(^)  ~  c. 

•  For  all  ©-^<.  rp  €  Cl{<P),  ©=^^  €  'i'  iff  V-  €  $  and  Congclass(^)  =a  c. 

It  follows  that  an  MTL-formula  <p  is  satisftable  iff  the  initial  tableau  T(^)  con¬ 
tains  an  infinite  path  $  =  #o^i^2  •  •  ■  such  that 

•  ^  €  #0. 

•  #0  contains  no  ©-formula, 

•  for  all  i  >  0,  'PiU^e'Pi  €  implies  ip2  €  for  some  j  >  i  with 
^i<k<jNexidiff{^k)  —  c,  and 

•  for  all  i  >  0,  'PiU^^c'Pi  €  implies  ^2  €  ij  for  some  j  >  i  with 
Congcla3s{^j)  =a  c. 

The  proof  is  similar  to  the  corresponding  argument  for  TPTL  ([AH89]). 

Since  the  initial  tableau  contains  C>(Jf  •  2^'^)  states,  each  of  size  0{C  N), 
T(^)  can  be  constructed  and  checked  for  infinite  paths  in  deterministic  time 
exponential  in  0{C  N).  m 

Note  that  although  the  (worst-case)  running  time  of  the  tableau  algorithm 
is  slightly  faster  for  MTL  than  for  TPTL  (for  which  the  product  of  all  constants 
appears  in  the  exponent),  it  is  still  doubly  exponential  in  the  length  of  the  input 
formula.  In  fact,  both  formalisms  are  EXPSPACE-complete. 


30 


Theorem  [Complexity  of  MTL].  The  satisfiability  problem  for  MTL  is 
TJX PSPACE- complete.  ■ 

Proof:  From  a  nondeterministic  version  of  the  tableau  algorithm,  it  follows 
that  MTL  IS  in  EXPSPACE.  The  corresponding  lower  bound  can  be  shown 
similarly  to  the  analogous  result  for  TPTL,  by  simulating  EXPSPACE-bounded 
Turing  machines  ([AH 8 9]).  ■ 

4.3  Expressiveness 

Because  of  the  past  operators,  MTL  can  express  certain  properties  more  suc¬ 
cinctly  than  TPTL.  On  the  other  hand,  consider  the  following  TPTL-formula 
(“Every  p-state  is  foUowed  by  a  g-state  and,  later,  an  r-state  within  time  5”): 

Ox.  [p  0{q  A  Oy.{r  A  y  <  x  +  5))] . 

This  property  has  no  natural  expression  in  MTL.  However,  because  of  the 

discrete  nature  of  the  underlying  time  domain,  it  can  be  translated  into  MTL 
as  follows: 

5 

°(p  -  V  A  0<5-cr)). 

c=0 

In  fact,  we  show  that  the  expressiveness  of  MTL  is  no  less  than  that  of 
TPTL  in  any  crucial  way.  Only  properties  that  put  constraints  on  the  time  of 
the  initial  state,  such  as  “The  time  of  the  initial  state  is  2”  (z  =  2  in  TPTL),  are 
are  not  expressible  in  our  version  of  MTL.  It  can  be  argued  that  for  the  purpose 

of  the  analysis  of  real-time  systems,  the  absolute  time  of  the  initial  state  is  of 
no  importance. 

Let  us  call  a  timed  state  sequence  (a,  r)  initial,  if  the  time  of  its  initial  state 
IS  0;  that  is,  r(0)  =  0.  The  following  theorem  states  that  if  expressiveness  is 
measured  by  the  sets  of  initial  models  definable  in  a  real-time  logic,  then  MTL 
has  the  same  expressive  power  as  £7,  or  equivalently,  TPTL. 

Theorem  [Expressive  completeness  of  MTL].  For  every  formula  (f>  of 
Ct,  there  exists  a  formula  rp  o/MTL  (without  past  operators)  such  that  p  ^  <p 
for  every  initial  timed  state  sequence  p.  m 

Proof:  As  in  the  proof  of  the  expressive  completeness  of  TPTL,  given  a 
formula  ^  of  Ct,  construct  a  PTL-formula  4>'  with  additional  time-difference 
propositions  Tdiff^,  0  <  t  <  d{(p),  and  time-congruence  propositions  Teona, 

°  jJ  <  Furthermore,  in  di'  all  propositions 

Tdiff^  and  Tcong^  are  either  not  within  the  scope  of  any  temporal  operator,  or 
immediately  preceded  by  a  next  operator. 

From  d'  we  obtain  the  desired  formula  by  eliminating  the  time-difference 
and  time-congruence  propositions  as  follows.  Since  we  consider  only  initial 
models,  replace  each  Tdig^  and  Tcong^  that  is  not  within  the  scope  of  any 
temporal  operator  by  true  or  false,  depending  on  whether  t  =  0.  Then  replace 
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QTdifft  (for  0  <  t  <  d(4>))  by  0=t  true,  O'l'diff d(<t,)  O>d(0)  true,  and 
QTcong^  by  (Observe  that  only  the  next  operator  needs  to  be 

subscripted.)  ■ 

5  Discussion 

We  have  shown  that  only  a  very  weak  arithmetic  over  a  discrete  domain  of  time 
can  be  combined  with  PTL  to  obtain  decidable  real-time  logics.  We  have  then 
identified  two  ways  of  constraining  the  syntax  further,  to  find  elementary  real¬ 
time  extensions  of  PTL  with  the  fuU  expressive  power  of  the  underlying  classical 
theory  of  timed  state  sequences. 

Thus,  TPTL  and  MTL  occupy  a  position  among  real-time  logics  that  is 
as  appecding  as  the  standing  of  PTL  for  qualitative  reasoning.  However,  both 
TPTL  and  MTL  have  EXPSPACE^complete  satisfiability  problems.  Our  deci¬ 
sion  cdgorithms  are  of  a  time  complexity  doubly  exponential  in  the  length  of  the 
timing  constradnts  (though  only  singly  exponential  in  the  number  of  temporal 
and  logical  operators).  On  the  other  hand,  PTL  is  PSPACE-complcte,  and  has 
a  singly  exponential  decision  procedure.  We  claim  that  this  is  because  reasoning 
in  Ct  is  intrinsically  expensive. 

A  closer  look  at  our  proof  of  the  EXPSPACE-hardncss  of  TPTL  ([AH 89]) 
suggests  that  any  extension  of  PTL  that  allows  the  expression  of  timing  con¬ 
straints  of  the  form  “The  time  of  one  state  is  within  a  certain  (constant)  distance 
from  the  time  of  another  state,”  using  binary  encoding  for  the  time  constants,  is 
EXPSPACE-hard.  Even  the  identification  of  nezUtime  with  nezUsiate  (time  as 
a  state  counter)  is  of  no  help  in  complexity;  introducing  the  abbreviation  Q*  for 
a  sequence  of  k  successive  nezi  operators  makes  PTL  EXPSPACE-hard!  Thus 
the  price  of  an  extra  exponential  is  caused  by  the  succinctness  of  the  notation 
introduced  by  the  binary  encoding  of  the  constants. 
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